From 9d59519a96c5e57ac858473bcd4ca9d411a5f679 Mon Sep 17 00:00:00 2001 From: Stefan Sedich Date: Tue, 28 Jul 2020 11:42:09 -0700 Subject: [PATCH 01/16] Add support to ensure user belongs in required groups when using the OIDC provider --- CHANGELOG.md | 3 + docs/configuration/configuration.md | 6 +- oauthproxy.go | 45 +++++++- oauthproxy_test.go | 147 +++++++++++++++++++++++- pkg/apis/options/options.go | 5 + pkg/apis/sessions/session_state.go | 7 +- pkg/apis/sessions/session_state_test.go | 11 ++ pkg/validation/options.go | 5 + providers/oidc.go | 23 ++++ providers/oidc_test.go | 47 +++++--- 10 files changed, 281 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 783c6dc718..43a58a78e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,11 +4,14 @@ ## Important Notes +- [#616](https://github.com/oauth2-proxy/oauth2-proxy/pull/616) Ensure you have configured oauth2-proxy to use the `groups` scope. The user may be logged out initially as they may not currently have the `groups` claim however after going back through login process wil be authenticated. + ## Breaking Changes ## Changes since v6.1.1 - [#764](https://github.com/oauth2-proxy/oauth2-proxy/pull/764) Document bcrypt encryption for htpasswd (and hide SHA) (@lentzi90) +- [#616](https://github.com/oauth2-proxy/oauth2-proxy/pull/616) Add support to ensure user belongs in required groups when using the OIDC provider (@stefansedich) # v6.1.1 diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md index 10e0afcc75..0370cdf4ea 100644 --- a/docs/configuration/configuration.md +++ b/docs/configuration/configuration.md @@ -78,12 +78,13 @@ An example [oauth2-proxy.cfg]({{ site.gitweb }}/contrib/oauth2-proxy.cfg.example | `--insecure-oidc-skip-issuer-verification` | bool | allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility) | false | | `--oidc-issuer-url` | string | the OpenID Connect issuer URL, e.g. `"https://accounts.google.com"` | | | `--oidc-jwks-url` | string | OIDC JWKS URI for token verification; required if OIDC discovery is disabled | | +| `--oidc-groups-claim` | string | which claim contains the user groups | `"groups"` | | `--pass-access-token` | bool | pass OAuth access_token to upstream via X-Forwarded-Access-Token header | false | | `--pass-authorization-header` | bool | pass OIDC IDToken to upstream via Authorization Bearer header | false | | `--pass-basic-auth` | bool | pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream | true | | `--prefer-email-to-user` | bool | Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with `--pass-basic-auth` and `--pass-user-headers` | false | | `--pass-host-header` | bool | pass the request Host Header to upstream | true | -| `--pass-user-headers` | bool | pass X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream | true | +| `--pass-user-headers` | bool | pass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream | true | | `--profile-url` | string | Profile access endpoint | | | `--prompt` | string | [OIDC prompt](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest); if present, `approval-prompt` is ignored | `""` | | `--provider` | string | OAuth provider | google | @@ -112,7 +113,7 @@ An example [oauth2-proxy.cfg]({{ site.gitweb }}/contrib/oauth2-proxy.cfg.example | `--scope` | string | OAuth scope specification | | | `--session-cookie-minimal` | bool | strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only) | false | | `--session-store-type` | string | [Session data storage backend](configuration/sessions); redis or cookie | cookie | -| `--set-xauthrequest` | bool | set X-Auth-Request-User, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode) | false | +| `--set-xauthrequest` | bool | set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode) | false | | `--set-authorization-header` | bool | set Authorization Bearer response header (useful in Nginx auth_request mode) | false | | `--set-basic-auth` | bool | set HTTP Basic Auth information in response (useful in Nginx auth_request mode) | false | | `--signature-key` | string | GAP-Signature request signature key (algorithm:secretkey) | | @@ -131,6 +132,7 @@ An example [oauth2-proxy.cfg]({{ site.gitweb }}/contrib/oauth2-proxy.cfg.example | `--tls-key-file` | string | path to private key file | | | `--upstream` | string \| list | the http url(s) of the upstream endpoint, file:// paths for static files or `static://` for static response. Routing is based on the path | | | `--user-id-claim` | string | which claim contains the user ID | \["email"\] | +| `--allowed-group` | string \| list | restrict logins to members of this group (may be given multiple times) | | | `--validate-url` | string | Access token validation endpoint | | | `--version` | n/a | print version string | | | `--whitelist-domain` | string \| list | allowed domains for redirection after authentication. Prefix domain with a `.` to allow subdomains (e.g. `.example.com`) \[[2](#footnote2)\] | | diff --git a/oauthproxy.go b/oauthproxy.go index f4d3c496e5..17d106d5d1 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -102,6 +102,7 @@ type OAuthProxy struct { trustedIPs *ip.NetSet Banner string Footer string + AllowedGroups []string sessionChain alice.Chain } @@ -215,6 +216,7 @@ func NewOAuthProxy(opts *options.Options, validator func(string) bool) (*OAuthPr Banner: opts.Banner, Footer: opts.Footer, SignInMessage: buildSignInMessage(opts), + AllowedGroups: opts.AllowedGroups, basicAuthValidator: basicAuthValidator, displayHtpasswdForm: basicAuthValidator != nil, @@ -888,7 +890,10 @@ func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.R return nil, ErrNeedsLogin } - if session != nil && session.Email != "" && !p.Validator(session.Email) { + invalidEmail := session != nil && session.Email != "" && !p.Validator(session.Email) + invalidGroups := session != nil && !p.validateGroups(session.Groups) + + if invalidEmail || invalidGroups { logger.Printf(session.Email, req, logger.AuthFailure, "Invalid authentication via session: removing session %s", session) // Invalid session, clear it err := p.ClearSessionCookie(rw, req) @@ -942,6 +947,14 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req } else { req.Header.Del("X-Forwarded-Preferred-Username") } + + if len(session.Groups) > 0 { + for _, group := range session.Groups { + req.Header.Add("X-Forwarded-Groups", group) + } + } else { + req.Header.Del("X-Forwarded-Groups") + } } if p.SetXAuthRequest { @@ -964,6 +977,14 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req rw.Header().Del("X-Auth-Request-Access-Token") } } + + if len(session.Groups) > 0 { + for _, group := range session.Groups { + rw.Header().Add("X-Auth-Request-Groups", group) + } + } else { + rw.Header().Del("X-Auth-Request-Groups") + } } if p.PassAccessToken { @@ -1012,6 +1033,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req func (p *OAuthProxy) stripAuthHeaders(req *http.Request) { if p.PassBasicAuth { req.Header.Del("X-Forwarded-User") + req.Header.Del("X-Forwarded-Groups") req.Header.Del("X-Forwarded-Email") req.Header.Del("X-Forwarded-Preferred-Username") req.Header.Del("Authorization") @@ -1019,6 +1041,7 @@ func (p *OAuthProxy) stripAuthHeaders(req *http.Request) { if p.PassUserHeaders { req.Header.Del("X-Forwarded-User") + req.Header.Del("X-Forwarded-Groups") req.Header.Del("X-Forwarded-Email") req.Header.Del("X-Forwarded-Preferred-Username") } @@ -1049,3 +1072,23 @@ func (p *OAuthProxy) ErrorJSON(rw http.ResponseWriter, code int) { rw.Header().Set("Content-Type", applicationJSON) rw.WriteHeader(code) } + +func (p *OAuthProxy) validateGroups(groups []string) bool { + if len(p.AllowedGroups) == 0 { + return true + } + + allowedGroups := map[string]struct{}{} + + for _, group := range p.AllowedGroups { + allowedGroups[group] = struct{}{} + } + + for _, group := range groups { + if _, ok := allowedGroups[group]; ok { + return true + } + } + + return false +} diff --git a/oauthproxy_test.go b/oauthproxy_test.go index 8342527415..395df820f7 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -592,6 +592,37 @@ func TestPassUserHeadersWithEmail(t *testing.T) { } } +func TestPassGroupsHeadersWithGroups(t *testing.T) { + opts := baseTestOptions() + err := validation.Validate(opts) + assert.NoError(t, err) + + const emailAddress = "john.doe@example.com" + const userName = "9fcab5c9b889a557" + + groups := []string{"a", "b"} + created := time.Now() + session := &sessions.SessionState{ + User: userName, + Groups: groups, + Email: emailAddress, + AccessToken: "oauth_token", + CreatedAt: &created, + } + { + rw := httptest.NewRecorder() + req, _ := http.NewRequest("GET", opts.ProxyPrefix+"/testCase0", nil) + proxy, err := NewOAuthProxy(opts, func(email string) bool { + return email == emailAddress + }) + if err != nil { + t.Fatal(err) + } + proxy.addHeadersForProxying(rw, req, session) + assert.Equal(t, groups, req.Header["X-Forwarded-Groups"]) + } +} + func TestStripAuthHeaders(t *testing.T) { testCases := map[string]struct { SkipAuthStripHeaders bool @@ -609,6 +640,7 @@ func TestStripAuthHeaders(t *testing.T) { PassAuthorization: false, StrippedHeaders: map[string]bool{ "X-Forwarded-User": true, + "X-Forwared-Groups": true, "X-Forwarded-Email": true, "X-Forwarded-Preferred-Username": true, "X-Forwarded-Access-Token": false, @@ -623,6 +655,7 @@ func TestStripAuthHeaders(t *testing.T) { PassAuthorization: false, StrippedHeaders: map[string]bool{ "X-Forwarded-User": true, + "X-Forwared-Groups": true, "X-Forwarded-Email": true, "X-Forwarded-Preferred-Username": true, "X-Forwarded-Access-Token": true, @@ -637,6 +670,7 @@ func TestStripAuthHeaders(t *testing.T) { PassAuthorization: false, StrippedHeaders: map[string]bool{ "X-Forwarded-User": true, + "X-Forwared-Groups": true, "X-Forwarded-Email": true, "X-Forwarded-Preferred-Username": true, "X-Forwarded-Access-Token": true, @@ -651,6 +685,7 @@ func TestStripAuthHeaders(t *testing.T) { PassAuthorization: true, StrippedHeaders: map[string]bool{ "X-Forwarded-User": false, + "X-Forwared-Groups": false, "X-Forwarded-Email": false, "X-Forwarded-Preferred-Username": false, "X-Forwarded-Access-Token": false, @@ -665,6 +700,7 @@ func TestStripAuthHeaders(t *testing.T) { PassAuthorization: false, StrippedHeaders: map[string]bool{ "X-Forwarded-User": false, + "X-Forwared-Groups": false, "X-Forwarded-Email": false, "X-Forwarded-Preferred-Username": false, "X-Forwarded-Access-Token": false, @@ -679,6 +715,7 @@ func TestStripAuthHeaders(t *testing.T) { PassAuthorization: false, StrippedHeaders: map[string]bool{ "X-Forwarded-User": false, + "X-Forwared-Groups": false, "X-Forwarded-Email": false, "X-Forwarded-Preferred-Username": false, "X-Forwarded-Access-Token": false, @@ -690,6 +727,7 @@ func TestStripAuthHeaders(t *testing.T) { initialHeaders := map[string]string{ "X-Forwarded-User": "9fcab5c9b889a557", "X-Forwarded-Email": "john.doe@example.com", + "X-Forwarded-Groups": "a,b,c", "X-Forwarded-Preferred-Username": "john.doe", "X-Forwarded-Access-Token": "AccessToken", "Authorization": "bearer IDToken", @@ -1333,6 +1371,7 @@ func TestAuthOnlyEndpointSetXAuthRequestHeaders(t *testing.T) { pcTest.opts = baseTestOptions() pcTest.opts.SetXAuthRequest = true + pcTest.opts.AllowedGroups = []string{"oauth_groups"} err := validation.Validate(pcTest.opts) assert.NoError(t, err) @@ -1354,13 +1393,14 @@ func TestAuthOnlyEndpointSetXAuthRequestHeaders(t *testing.T) { created := time.Now() startSession := &sessions.SessionState{ - User: "oauth_user", Email: "oauth_user@example.com", AccessToken: "oauth_token", CreatedAt: &created} + User: "oauth_user", Groups: []string{"oauth_groups"}, Email: "oauth_user@example.com", AccessToken: "oauth_token", CreatedAt: &created} err = pcTest.SaveSession(startSession) assert.NoError(t, err) pcTest.proxy.ServeHTTP(pcTest.rw, pcTest.req) assert.Equal(t, http.StatusAccepted, pcTest.rw.Code) assert.Equal(t, "oauth_user", pcTest.rw.Header().Get("X-Auth-Request-User")) + assert.Equal(t, startSession.Groups, pcTest.rw.Header().Values("X-Auth-Request-Groups")) assert.Equal(t, "oauth_user@example.com", pcTest.rw.Header().Get("X-Auth-Request-Email")) } @@ -2199,3 +2239,108 @@ func TestTrustedIPs(t *testing.T) { }) } } + +func TestProxyAllowedGroups(t *testing.T) { + tests := []struct { + name string + allowedGroups []string + groups []string + expectUnauthorized bool + }{ + {"NoAllowedGroups", []string{}, []string{}, false}, + {"NoAllowedGroupsUserHasGroups", []string{}, []string{"a", "b"}, false}, + {"UserInAllowedGroup", []string{"a"}, []string{"a", "b"}, false}, + {"UserNotInAllowedGroup", []string{"a"}, []string{"c"}, true}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + emailAddress := "test" + created := time.Now() + + session := &sessions.SessionState{ + Groups: tt.groups, + Email: emailAddress, + AccessToken: "oauth_token", + CreatedAt: &created, + } + + upstream := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(200) + })) + t.Cleanup(upstream.Close) + + test, err := NewProcessCookieTestWithOptionsModifiers(func(opts *options.Options) { + opts.AllowedGroups = tt.allowedGroups + opts.UpstreamServers = options.Upstreams{ + { + ID: upstream.URL, + Path: "/", + URI: upstream.URL, + }, + } + }) + if err != nil { + t.Fatal(err) + } + + test.req, _ = http.NewRequest("GET", "/", nil) + + test.req.Header.Add("accept", applicationJSON) + test.SaveSession(session) + test.proxy.ServeHTTP(test.rw, test.req) + + if tt.expectUnauthorized { + assert.Equal(t, http.StatusUnauthorized, test.rw.Code) + } else { + assert.Equal(t, http.StatusOK, test.rw.Code) + } + }) + } +} + +func TestAuthOnlyAllowedGroups(t *testing.T) { + tests := []struct { + name string + allowedGroups []string + groups []string + expectUnauthorized bool + }{ + {"NoAllowedGroups", []string{}, []string{}, false}, + {"NoAllowedGroupsUserHasGroups", []string{}, []string{"a", "b"}, false}, + {"UserInAllowedGroup", []string{"a"}, []string{"a", "b"}, false}, + {"UserNotInAllowedGroup", []string{"a"}, []string{"c"}, true}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + emailAddress := "test" + created := time.Now() + + session := &sessions.SessionState{ + Groups: tt.groups, + Email: emailAddress, + AccessToken: "oauth_token", + CreatedAt: &created, + } + + test, err := NewAuthOnlyEndpointTest(func(opts *options.Options) { + opts.AllowedGroups = tt.allowedGroups + }) + if err != nil { + t.Fatal(err) + } + + err = test.SaveSession(session) + assert.NoError(t, err) + + test.proxy.ServeHTTP(test.rw, test.req) + + if tt.expectUnauthorized { + assert.Equal(t, http.StatusUnauthorized, test.rw.Code) + } else { + assert.Equal(t, http.StatusAccepted, test.rw.Code) + } + }) + } +} diff --git a/pkg/apis/options/options.go b/pkg/apis/options/options.go index b723b60b76..e9f506cb66 100644 --- a/pkg/apis/options/options.go +++ b/pkg/apis/options/options.go @@ -93,6 +93,7 @@ type Options struct { InsecureOIDCSkipIssuerVerification bool `flag:"insecure-oidc-skip-issuer-verification" cfg:"insecure_oidc_skip_issuer_verification"` SkipOIDCDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery"` OIDCJwksURL string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url"` + OIDCGroupsClaim string `flag:"oidc-groups-claim" cfg:"oidc_groups_claim"` LoginURL string `flag:"login-url" cfg:"login_url"` RedeemURL string `flag:"redeem-url" cfg:"redeem_url"` ProfileURL string `flag:"profile-url" cfg:"profile_url"` @@ -102,6 +103,7 @@ type Options struct { Prompt string `flag:"prompt" cfg:"prompt"` ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt"` // Deprecated by OIDC 1.0 UserIDClaim string `flag:"user-id-claim" cfg:"user_id_claim"` + AllowedGroups []string `flag:"allowed-group" cfg:"allowed_groups"` SignatureKey string `flag:"signature-key" cfg:"signature_key"` AcrValues string `flag:"acr-values" cfg:"acr_values"` @@ -167,6 +169,7 @@ func NewOptions() *Options { InsecureOIDCAllowUnverifiedEmail: false, SkipOIDCDiscovery: false, Logging: loggingDefaults(), + OIDCGroupsClaim: "groups", } } @@ -248,6 +251,7 @@ func NewFlagSet() *pflag.FlagSet { flagSet.Bool("insecure-oidc-skip-issuer-verification", false, "Do not verify if issuer matches OIDC discovery URL") flagSet.Bool("skip-oidc-discovery", false, "Skip OIDC discovery and use manually supplied Endpoints") flagSet.String("oidc-jwks-url", "", "OpenID Connect JWKS URL (ie: https://www.googleapis.com/oauth2/v3/certs)") + flagSet.String("oidc-groups-claim", "groups", "which claim contains the user groups") flagSet.String("login-url", "", "Authentication endpoint") flagSet.String("redeem-url", "", "Token redemption endpoint") flagSet.String("profile-url", "", "Profile access endpoint") @@ -265,6 +269,7 @@ func NewFlagSet() *pflag.FlagSet { flagSet.Bool("gcp-healthchecks", false, "Enable GCP/GKE healthcheck endpoints") flagSet.String("user-id-claim", "email", "which claim contains the user ID") + flagSet.StringSlice("allowed-group", []string{}, "restrict logins to members of this group (may be given multiple times)") flagSet.AddFlagSet(cookieFlagSet()) flagSet.AddFlagSet(loggingFlagSet()) diff --git a/pkg/apis/sessions/session_state.go b/pkg/apis/sessions/session_state.go index e69c4db47d..b10c347ae3 100644 --- a/pkg/apis/sessions/session_state.go +++ b/pkg/apis/sessions/session_state.go @@ -7,6 +7,7 @@ import ( "fmt" "io" "io/ioutil" + "reflect" "time" "unicode/utf8" @@ -24,6 +25,7 @@ type SessionState struct { RefreshToken string `json:",omitempty" msgpack:"rt,omitempty"` Email string `json:",omitempty" msgpack:"e,omitempty"` User string `json:",omitempty" msgpack:"u,omitempty"` + Groups []string `json:",omitempty" msgpack:"g,omitempty"` PreferredUsername string `json:",omitempty" msgpack:"pu,omitempty"` } @@ -61,6 +63,9 @@ func (s *SessionState) String() string { if s.RefreshToken != "" { o += " refresh_token:true" } + if len(s.Groups) > 0 { + o += fmt.Sprintf(" groups:%v", s.Groups) + } return o + "}" } @@ -233,7 +238,7 @@ func (s *SessionState) validate() error { } empty := new(SessionState) - if *s == *empty { + if reflect.DeepEqual(*s, *empty) { return errors.New("invalid empty session unmarshalled") } diff --git a/pkg/apis/sessions/session_state_test.go b/pkg/apis/sessions/session_state_test.go index 08216b2697..3100592891 100644 --- a/pkg/apis/sessions/session_state_test.go +++ b/pkg/apis/sessions/session_state_test.go @@ -186,6 +186,17 @@ func TestEncodeAndDecodeSessionState(t *testing.T) { IDToken: "IDToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7", ExpiresOn: &expires, }, + "With groups": { + Email: "username@example.com", + User: "username", + PreferredUsername: "preferred.username", + AccessToken: "AccessToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7", + IDToken: "IDToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7", + CreatedAt: &created, + ExpiresOn: &expires, + RefreshToken: "RefreshToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7", + Groups: []string{"group-a", "group-b"}, + }, } for _, secretSize := range []int{16, 24, 32} { diff --git a/pkg/validation/options.go b/pkg/validation/options.go index f9325cf0f5..75f678bee0 100644 --- a/pkg/validation/options.go +++ b/pkg/validation/options.go @@ -152,6 +152,10 @@ func Validate(o *options.Options) error { } if o.Scope == "" { o.Scope = "openid email profile" + + if len(o.AllowedGroups) > 0 { + o.Scope += " groups" + } } } @@ -279,6 +283,7 @@ func parseProviderInfo(o *options.Options, msgs []string) []string { case *providers.OIDCProvider: p.AllowUnverifiedEmail = o.InsecureOIDCAllowUnverifiedEmail p.UserIDClaim = o.UserIDClaim + p.GroupsClaim = o.OIDCGroupsClaim if o.GetOIDCVerifier() == nil { msgs = append(msgs, "oidc provider requires an oidc issuer URL") } else { diff --git a/providers/oidc.go b/providers/oidc.go index b14e0b6118..7162740f31 100644 --- a/providers/oidc.go +++ b/providers/oidc.go @@ -22,6 +22,7 @@ type OIDCProvider struct { Verifier *oidc.IDTokenVerifier AllowUnverifiedEmail bool UserIDClaim string + GroupsClaim string } // NewOIDCProvider initiates a new OIDCProvider @@ -123,6 +124,7 @@ func (p *OIDCProvider) redeemRefreshToken(ctx context.Context, s *sessions.Sessi s.IDToken = newSession.IDToken s.Email = newSession.Email s.User = newSession.User + s.Groups = newSession.Groups s.PreferredUsername = newSession.PreferredUsername } @@ -204,6 +206,7 @@ func (p *OIDCProvider) createSessionStateInternal(ctx context.Context, idToken * newSession.Email = claims.UserID // TODO Rename SessionState.Email to .UserID in the near future newSession.User = claims.Subject + newSession.Groups = claims.Groups newSession.PreferredUsername = claims.PreferredUsername verifyEmail := (p.UserIDClaim == emailClaim) && !p.AllowUnverifiedEmail @@ -222,6 +225,7 @@ func (p *OIDCProvider) ValidateSessionState(ctx context.Context, s *sessions.Ses func (p *OIDCProvider) findClaimsFromIDToken(ctx context.Context, idToken *oidc.IDToken, token *oauth2.Token) (*OIDCClaims, error) { claims := &OIDCClaims{} + // Extract default claims. if err := idToken.Claims(&claims); err != nil { return nil, fmt.Errorf("failed to parse default id_token claims: %v", err) @@ -236,6 +240,8 @@ func (p *OIDCProvider) findClaimsFromIDToken(ctx context.Context, idToken *oidc. claims.UserID = fmt.Sprint(userID) } + claims.Groups = p.extractGroupsFromRawClaims(claims.rawClaims) + // userID claim was not present or was empty in the ID Token if claims.UserID == "" { // BearerToken case, allow empty UserID @@ -273,10 +279,27 @@ func (p *OIDCProvider) findClaimsFromIDToken(ctx context.Context, idToken *oidc. return claims, nil } +func (p *OIDCProvider) extractGroupsFromRawClaims(rawClaims map[string]interface{}) []string { + groups := []string{} + + rawGroups, ok := rawClaims[p.GroupsClaim].([]interface{}) + if rawGroups != nil && ok { + for _, rawGroup := range rawGroups { + group, ok := rawGroup.(string) + if ok { + groups = append(groups, group) + } + } + } + + return groups +} + type OIDCClaims struct { rawClaims map[string]interface{} UserID string Subject string `json:"sub"` Verified *bool `json:"email_verified"` PreferredUsername string `json:"preferred_username"` + Groups []string } diff --git a/providers/oidc_test.go b/providers/oidc_test.go index 9e96752d69..5e91418b76 100644 --- a/providers/oidc_test.go +++ b/providers/oidc_test.go @@ -29,10 +29,12 @@ const clientID = "https://test.myapp.com" const secret = "secret" type idTokenClaims struct { - Name string `json:"name,omitempty"` - Email string `json:"email,omitempty"` - Phone string `json:"phone_number,omitempty"` - Picture string `json:"picture,omitempty"` + Name string `json:"name,omitempty"` + Email string `json:"email,omitempty"` + Phone string `json:"phone_number,omitempty"` + Picture string `json:"picture,omitempty"` + Groups []string `json:"groups,omitempty"` + OtherGroups []string `json:"other_groups,omitempty"` jwt.StandardClaims } @@ -49,6 +51,8 @@ var defaultIDToken idTokenClaims = idTokenClaims{ "janed@me.com", "+4798765432", "http://mugbook.com/janed/me.jpg", + []string{"test:a", "test:b"}, + []string{"test:c", "test:d"}, jwt.StandardClaims{ Audience: "https://test.myapp.com", ExpiresAt: time.Now().Add(time.Duration(5) * time.Minute).Unix(), @@ -65,6 +69,8 @@ var minimalIDToken idTokenClaims = idTokenClaims{ "", "", "", + []string{}, + []string{}, jwt.StandardClaims{ Audience: "https://test.myapp.com", ExpiresAt: time.Now().Add(time.Duration(5) * time.Minute).Unix(), @@ -273,25 +279,39 @@ func TestCreateSessionStateFromBearerToken(t *testing.T) { const profileURLEmail = "janed@me.com" testCases := map[string]struct { - IDToken idTokenClaims - ExpectedUser string - ExpectedEmail string + IDToken idTokenClaims + GroupsClaim string + ExpectedUser string + ExpectedEmail string + ExpectedGroups []string }{ "Default IDToken": { - IDToken: defaultIDToken, - ExpectedUser: defaultIDToken.Subject, - ExpectedEmail: defaultIDToken.Email, + IDToken: defaultIDToken, + GroupsClaim: "groups", + ExpectedUser: defaultIDToken.Subject, + ExpectedEmail: defaultIDToken.Email, + ExpectedGroups: []string{"test:a", "test:b"}, }, "Minimal IDToken with no email claim": { - IDToken: minimalIDToken, - ExpectedUser: minimalIDToken.Subject, - ExpectedEmail: minimalIDToken.Subject, + IDToken: minimalIDToken, + GroupsClaim: "groups", + ExpectedUser: minimalIDToken.Subject, + ExpectedEmail: minimalIDToken.Subject, + ExpectedGroups: []string{}, + }, + "Custom Groups Claim": { + IDToken: defaultIDToken, + GroupsClaim: "other_groups", + ExpectedUser: defaultIDToken.Subject, + ExpectedEmail: defaultIDToken.Email, + ExpectedGroups: []string{"test:c", "test:d"}, }, } for testName, tc := range testCases { t.Run(testName, func(t *testing.T) { jsonResp := []byte(fmt.Sprintf(`{"email":"%s"}`, profileURLEmail)) server, provider := newTestSetup(jsonResp) + provider.GroupsClaim = tc.GroupsClaim defer server.Close() rawIDToken, err := newSignedTestIDToken(tc.IDToken) @@ -311,6 +331,7 @@ func TestCreateSessionStateFromBearerToken(t *testing.T) { assert.Equal(t, tc.ExpectedEmail, ss.Email) assert.Equal(t, rawIDToken, ss.IDToken) assert.Equal(t, rawIDToken, ss.AccessToken) + assert.Equal(t, tc.ExpectedGroups, ss.Groups) assert.Equal(t, "", ss.RefreshToken) }) } From 4a04ff452929de990cbc47faf8f818df1fe72248 Mon Sep 17 00:00:00 2001 From: blz-ea Date: Tue, 22 Sep 2020 20:13:00 -0400 Subject: [PATCH 02/16] docs: fix Keycloak provider documentation --- docs/2_auth.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/2_auth.md b/docs/2_auth.md index 974dfbc946..d823028993 100644 --- a/docs/2_auth.md +++ b/docs/2_auth.md @@ -142,9 +142,9 @@ Make sure you set the following to the appropriate url: -provider=keycloak -client-id= -client-secret= - -login-url="http(s):///realms//protocol/openid-connect/auth" - -redeem-url="http(s):///realms//protocol/openid-connect/token" - -validate-url="http(s):///realms//protocol/openid-connect/userinfo" + -login-url="http(s):///auth/realms//protocol/openid-connect/auth" + -redeem-url="http(s):///auth/realms//protocol/openid-connect/token" + -validate-url="http(s):///auth/realms//protocol/openid-connect/userinfo" -keycloak-group= The group management in keycloak is using a tree. If you create a group named admin in keycloak you should define the 'keycloak-group' value to /admin. From 56f199a24f313f3b68f620ec278a9c40c2ee390c Mon Sep 17 00:00:00 2001 From: Nick Meves Date: Sun, 24 May 2020 11:02:08 -0700 Subject: [PATCH 03/16] Stop accepting legacy SHA1 signed cookies --- CHANGELOG.md | 4 ++++ pkg/encryption/utils.go | 13 +------------ pkg/encryption/utils_test.go | 4 ++-- 3 files changed, 7 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 43a58a78e4..f8ff3c3310 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,12 +4,16 @@ ## Important Notes +- [#575](https://github.com/oauth2-proxy/oauth2-proxy/pull/575) Sessions from v5.1.1 or earlier will no longer validate since they were not signed with SHA1. + - Sessions from v6.0.0 or later had a graceful conversion to SHA256 that resulted in no reauthentication + - Upgrading from v5.1.1 or earlier will result in a reauthentication - [#616](https://github.com/oauth2-proxy/oauth2-proxy/pull/616) Ensure you have configured oauth2-proxy to use the `groups` scope. The user may be logged out initially as they may not currently have the `groups` claim however after going back through login process wil be authenticated. ## Breaking Changes ## Changes since v6.1.1 +- [#575](https://github.com/oauth2-proxy/oauth2-proxy/pull/575) Stop accepting legacy SHA1 signed cookies (@NickMeves) - [#764](https://github.com/oauth2-proxy/oauth2-proxy/pull/764) Document bcrypt encryption for htpasswd (and hide SHA) (@lentzi90) - [#616](https://github.com/oauth2-proxy/oauth2-proxy/pull/616) Add support to ensure user belongs in required groups when using the OIDC provider (@stefansedich) diff --git a/pkg/encryption/utils.go b/pkg/encryption/utils.go index 269a89c6af..c9d19249d2 100644 --- a/pkg/encryption/utils.go +++ b/pkg/encryption/utils.go @@ -2,8 +2,6 @@ package encryption import ( "crypto/hmac" - // TODO (@NickMeves): Remove SHA1 signed cookie support in V7 - "crypto/sha1" // #nosec G505 "crypto/sha256" "encoding/base64" "fmt" @@ -95,16 +93,7 @@ func checkSignature(signature string, args ...string) bool { if err != nil { return false } - if checkHmac(signature, checkSig) { - return true - } - - // TODO (@NickMeves): Remove SHA1 signed cookie support in V7 - legacySig, err := cookieSignature(sha1.New, args...) - if err != nil { - return false - } - return checkHmac(signature, legacySig) + return checkHmac(signature, checkSig) } func checkHmac(input, expected string) bool { diff --git a/pkg/encryption/utils_test.go b/pkg/encryption/utils_test.go index 162c64ce80..2500d4ab15 100644 --- a/pkg/encryption/utils_test.go +++ b/pkg/encryption/utils_test.go @@ -94,8 +94,8 @@ func TestSignAndValidate(t *testing.T) { assert.NoError(t, err) assert.True(t, checkSignature(sha256sig, seed, key, value, epoch)) - // This should be switched to False after fully deprecating SHA1 - assert.True(t, checkSignature(sha1sig, seed, key, value, epoch)) + // We don't validate legacy SHA1 signatures anymore + assert.False(t, checkSignature(sha1sig, seed, key, value, epoch)) assert.False(t, checkSignature(sha256sig, seed, key, "tampered", epoch)) assert.False(t, checkSignature(sha1sig, seed, key, "tampered", epoch)) From 6db1aeb9c69c9693b0dd91c28b9c4e1951993dfa Mon Sep 17 00:00:00 2001 From: Nick Meves Date: Thu, 6 Aug 2020 15:43:01 -0700 Subject: [PATCH 04/16] Validate Redis session store health on startup --- CHANGELOG.md | 3 + pkg/sessions/redis/redis_store.go | 6 +- pkg/validation/options.go | 1 + pkg/validation/sessions.go | 51 ++++++ pkg/validation/sessions_test.go | 278 +++++++++++++++++++++++++++--- 5 files changed, 308 insertions(+), 31 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f8ff3c3310..4919b34a27 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,9 +11,12 @@ ## Breaking Changes +- [#722](https://github.com/oauth2-proxy/oauth2-proxy/pull/722) When a Redis session store is configured, OAuth2-Proxy will fail to start up unless connection and health checks to Redis pass + ## Changes since v6.1.1 - [#575](https://github.com/oauth2-proxy/oauth2-proxy/pull/575) Stop accepting legacy SHA1 signed cookies (@NickMeves) +- [#722](https://github.com/oauth2-proxy/oauth2-proxy/pull/722) Validate Redis configuration options at startup (@NickMeves) - [#764](https://github.com/oauth2-proxy/oauth2-proxy/pull/764) Document bcrypt encryption for htpasswd (and hide SHA) (@lentzi90) - [#616](https://github.com/oauth2-proxy/oauth2-proxy/pull/616) Add support to ensure user belongs in required groups when using the OIDC provider (@stefansedich) diff --git a/pkg/sessions/redis/redis_store.go b/pkg/sessions/redis/redis_store.go index 10d99347b8..dcdf6a27c2 100644 --- a/pkg/sessions/redis/redis_store.go +++ b/pkg/sessions/redis/redis_store.go @@ -23,7 +23,7 @@ type SessionStore struct { // NewRedisSessionStore initialises a new instance of the SessionStore and wraps // it in a persistence.Manager func NewRedisSessionStore(opts *options.SessionOptions, cookieOpts *options.Cookie) (sessions.SessionStore, error) { - client, err := newRedisClient(opts.Redis) + client, err := NewRedisClient(opts.Redis) if err != nil { return nil, fmt.Errorf("error constructing redis client: %v", err) } @@ -64,9 +64,9 @@ func (store *SessionStore) Clear(ctx context.Context, key string) error { return nil } -// newRedisClient makes a redis.Client (either standalone, sentinel aware, or +// NewRedisClient makes a redis.Client (either standalone, sentinel aware, or // redis cluster) -func newRedisClient(opts options.RedisStoreOptions) (Client, error) { +func NewRedisClient(opts options.RedisStoreOptions) (Client, error) { if opts.UseSentinel && opts.UseCluster { return nil, fmt.Errorf("options redis-use-sentinel and redis-use-cluster are mutually exclusive") } diff --git a/pkg/validation/options.go b/pkg/validation/options.go index 75f678bee0..9964d2d863 100644 --- a/pkg/validation/options.go +++ b/pkg/validation/options.go @@ -28,6 +28,7 @@ import ( func Validate(o *options.Options) error { msgs := validateCookie(o.Cookie) msgs = append(msgs, validateSessionCookieMinimal(o)...) + msgs = append(msgs, validateRedisSessionStore(o)...) if o.SSLInsecureSkipVerify { // InsecureSkipVerify is a configurable option we allow diff --git a/pkg/validation/sessions.go b/pkg/validation/sessions.go index db4ba9fddc..1d61b92c29 100644 --- a/pkg/validation/sessions.go +++ b/pkg/validation/sessions.go @@ -1,9 +1,13 @@ package validation import ( + "context" + "fmt" "time" "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/pkg/encryption" + "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/redis" ) func validateSessionCookieMinimal(o *options.Options) []string { @@ -30,3 +34,50 @@ func validateSessionCookieMinimal(o *options.Options) []string { } return msgs } + +// validateRedisSessionStore builds a Redis Client from the options and +// attempts to connect, Set, Get and Del a random health check key +func validateRedisSessionStore(o *options.Options) []string { + if o.Session.Type != options.RedisSessionStoreType { + return []string{} + } + + client, err := redis.NewRedisClient(o.Session.Redis) + if err != nil { + return []string{fmt.Sprintf("unable to initialize a redis client: %v", err)} + } + + nonce, err := encryption.Nonce() + if err != nil { + return []string{fmt.Sprintf("unable to generate a redis initialization test key: %v", err)} + } + + key := fmt.Sprintf("%s-healthcheck-%s", o.Cookie.Name, nonce) + return sendRedisConnectionTest(client, key, nonce) +} + +func sendRedisConnectionTest(client redis.Client, key string, val string) []string { + msgs := []string{} + ctx := context.Background() + + err := client.Set(ctx, key, []byte(val), time.Duration(60)*time.Second) + if err != nil { + msgs = append(msgs, fmt.Sprintf("unable to set a redis initialization key: %v", err)) + } else { + gval, err := client.Get(ctx, key) + if err != nil { + msgs = append(msgs, + fmt.Sprintf("unable to retrieve redis initialization key: %v", err)) + } + if string(gval) != val { + msgs = append(msgs, + "the retrieved redis initialization key did not match the value we set") + } + } + + err = client.Del(ctx, key) + if err != nil { + msgs = append(msgs, fmt.Sprintf("unable to delete the redis initialization key: %v", err)) + } + return msgs +} diff --git a/pkg/validation/sessions_test.go b/pkg/validation/sessions_test.go index a6ffdbd0e3..edd06acfcb 100644 --- a/pkg/validation/sessions_test.go +++ b/pkg/validation/sessions_test.go @@ -1,14 +1,17 @@ package validation import ( - "testing" "time" + "github.com/Bose/minisentinel" + "github.com/alicebob/miniredis/v2" "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" + . "github.com/onsi/ginkgo" + . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" ) -func Test_validateSessionCookieMinimal(t *testing.T) { +var _ = Describe("Sessions", func() { const ( passAuthorizationMsg = "pass_authorization_header requires oauth tokens in sessions. session_cookie_minimal cannot be set" setAuthorizationMsg = "set_authorization_header requires oauth tokens in sessions. session_cookie_minimal cannot be set" @@ -16,11 +19,16 @@ func Test_validateSessionCookieMinimal(t *testing.T) { cookieRefreshMsg = "cookie_refresh > 0 requires oauth tokens in sessions. session_cookie_minimal cannot be set" ) - testCases := map[string]struct { + type cookieMinimalTableInput struct { opts *options.Options errStrings []string - }{ - "No minimal cookie session": { + } + + DescribeTable("validateSessionCookieMinimal", + func(o *cookieMinimalTableInput) { + Expect(validateSessionCookieMinimal(o.opts)).To(ConsistOf(o.errStrings)) + }, + Entry("No minimal cookie session", &cookieMinimalTableInput{ opts: &options.Options{ Session: options.SessionOptions{ Cookie: options.CookieStoreOptions{ @@ -29,8 +37,8 @@ func Test_validateSessionCookieMinimal(t *testing.T) { }, }, errStrings: []string{}, - }, - "No minimal cookie session & passAuthorization": { + }), + Entry("No minimal cookie session & passAuthorization", &cookieMinimalTableInput{ opts: &options.Options{ Session: options.SessionOptions{ Cookie: options.CookieStoreOptions{ @@ -40,8 +48,8 @@ func Test_validateSessionCookieMinimal(t *testing.T) { PassAuthorization: true, }, errStrings: []string{}, - }, - "Minimal cookie session no conflicts": { + }), + Entry("Minimal cookie session no conflicts", &cookieMinimalTableInput{ opts: &options.Options{ Session: options.SessionOptions{ Cookie: options.CookieStoreOptions{ @@ -50,8 +58,8 @@ func Test_validateSessionCookieMinimal(t *testing.T) { }, }, errStrings: []string{}, - }, - "PassAuthorization conflict": { + }), + Entry("PassAuthorization conflict", &cookieMinimalTableInput{ opts: &options.Options{ Session: options.SessionOptions{ Cookie: options.CookieStoreOptions{ @@ -61,8 +69,8 @@ func Test_validateSessionCookieMinimal(t *testing.T) { PassAuthorization: true, }, errStrings: []string{passAuthorizationMsg}, - }, - "SetAuthorization conflict": { + }), + Entry("SetAuthorization conflict", &cookieMinimalTableInput{ opts: &options.Options{ Session: options.SessionOptions{ Cookie: options.CookieStoreOptions{ @@ -72,8 +80,8 @@ func Test_validateSessionCookieMinimal(t *testing.T) { SetAuthorization: true, }, errStrings: []string{setAuthorizationMsg}, - }, - "PassAccessToken conflict": { + }), + Entry("PassAccessToken conflict", &cookieMinimalTableInput{ opts: &options.Options{ Session: options.SessionOptions{ Cookie: options.CookieStoreOptions{ @@ -83,8 +91,8 @@ func Test_validateSessionCookieMinimal(t *testing.T) { PassAccessToken: true, }, errStrings: []string{passAccessTokenMsg}, - }, - "CookieRefresh conflict": { + }), + Entry("CookieRefresh conflict", &cookieMinimalTableInput{ opts: &options.Options{ Cookie: options.Cookie{ Refresh: time.Hour, @@ -96,8 +104,8 @@ func Test_validateSessionCookieMinimal(t *testing.T) { }, }, errStrings: []string{cookieRefreshMsg}, - }, - "Multiple conflicts": { + }), + Entry("Multiple conflicts", &cookieMinimalTableInput{ opts: &options.Options{ Session: options.SessionOptions{ Cookie: options.CookieStoreOptions{ @@ -108,14 +116,228 @@ func Test_validateSessionCookieMinimal(t *testing.T) { PassAccessToken: true, }, errStrings: []string{passAuthorizationMsg, passAccessTokenMsg}, - }, - } + }), + ) - for testName, tc := range testCases { - t.Run(testName, func(t *testing.T) { - errStrings := validateSessionCookieMinimal(tc.opts) - g := NewWithT(t) - g.Expect(errStrings).To(ConsistOf(tc.errStrings)) - }) + const ( + clusterAndSentinelMsg = "unable to initialize a redis client: options redis-use-sentinel and redis-use-cluster are mutually exclusive" + parseWrongSchemeMsg = "unable to initialize a redis client: unable to parse redis url: invalid redis URL scheme: https" + parseWrongFormatMsg = "unable to initialize a redis client: unable to parse redis url: invalid redis database number: \"wrong\"" + invalidPasswordSetMsg = "unable to set a redis initialization key: WRONGPASS invalid username-password pair" + invalidPasswordDelMsg = "unable to delete the redis initialization key: WRONGPASS invalid username-password pair" + unreachableRedisSetMsg = "unable to set a redis initialization key: dial tcp 127.0.0.1:65535: connect: connection refused" + unreachableRedisDelMsg = "unable to delete the redis initialization key: dial tcp 127.0.0.1:65535: connect: connection refused" + unreachableSentinelSetMsg = "unable to set a redis initialization key: redis: all sentinels are unreachable" + unrechableSentinelDelMsg = "unable to delete the redis initialization key: redis: all sentinels are unreachable" + ) + + type redisStoreTableInput struct { + // miniredis setup details + password string + useSentinel bool + setAddr bool + setSentinelAddr bool + setMasterName bool + + opts *options.Options + errStrings []string } -} + + DescribeTable("validateRedisSessionStore", + func(o *redisStoreTableInput) { + mr, err := miniredis.Run() + Expect(err).ToNot(HaveOccurred()) + mr.RequireAuth(o.password) + defer mr.Close() + + if o.setAddr && !o.useSentinel { + o.opts.Session.Redis.ConnectionURL = "redis://" + mr.Addr() + } + + if o.useSentinel { + ms := minisentinel.NewSentinel(mr) + Expect(ms.Start()).To(Succeed()) + defer ms.Close() + + if o.setSentinelAddr { + o.opts.Session.Redis.SentinelConnectionURLs = []string{"redis://" + ms.Addr()} + } + if o.setMasterName { + o.opts.Session.Redis.SentinelMasterName = ms.MasterInfo().Name + } + } + + Expect(validateRedisSessionStore(o.opts)).To(ConsistOf(o.errStrings)) + }, + Entry("cookie sessions are skipped", &redisStoreTableInput{ + opts: &options.Options{ + Session: options.SessionOptions{ + Type: options.CookieSessionStoreType, + }, + }, + errStrings: []string{}, + }), + Entry("connect successfully to pure redis", &redisStoreTableInput{ + setAddr: true, + + opts: &options.Options{ + Session: options.SessionOptions{ + Type: options.RedisSessionStoreType, + }, + }, + errStrings: []string{}, + }), + Entry("failed redis connection with wrong address", &redisStoreTableInput{ + opts: &options.Options{ + Session: options.SessionOptions{ + Type: options.RedisSessionStoreType, + Redis: options.RedisStoreOptions{ + ConnectionURL: "redis://127.0.0.1:65535", + }, + }, + }, + errStrings: []string{unreachableRedisSetMsg, unreachableRedisDelMsg}, + }), + Entry("fail to parse an invalid connection URL with wrong scheme", &redisStoreTableInput{ + opts: &options.Options{ + Session: options.SessionOptions{ + Type: options.RedisSessionStoreType, + Redis: options.RedisStoreOptions{ + ConnectionURL: "https://example.com", + }, + }, + }, + errStrings: []string{parseWrongSchemeMsg}, + }), + Entry("fail to parse an invalid connection URL with invalid format", &redisStoreTableInput{ + opts: &options.Options{ + Session: options.SessionOptions{ + Type: options.RedisSessionStoreType, + Redis: options.RedisStoreOptions{ + ConnectionURL: "redis://127.0.0.1:6379/wrong", + }, + }, + }, + errStrings: []string{parseWrongFormatMsg}, + }), + Entry("connect successfully to pure redis with password", &redisStoreTableInput{ + password: "abcdef123", + setAddr: true, + + opts: &options.Options{ + Session: options.SessionOptions{ + Type: options.RedisSessionStoreType, + Redis: options.RedisStoreOptions{ + Password: "abcdef123", + }, + }, + }, + errStrings: []string{}, + }), + Entry("failed connection with wrong password", &redisStoreTableInput{ + password: "abcdef123", + setAddr: true, + + opts: &options.Options{ + Session: options.SessionOptions{ + Type: options.RedisSessionStoreType, + Redis: options.RedisStoreOptions{ + Password: "zyxwtuv987", + }, + }, + }, + errStrings: []string{invalidPasswordSetMsg, invalidPasswordDelMsg}, + }), + Entry("connect successfully to sentinel redis", &redisStoreTableInput{ + useSentinel: true, + setSentinelAddr: true, + setMasterName: true, + + opts: &options.Options{ + Session: options.SessionOptions{ + Type: options.RedisSessionStoreType, + Redis: options.RedisStoreOptions{ + UseSentinel: true, + }, + }, + }, + errStrings: []string{}, + }), + Entry("connect successfully to sentinel redis with password", &redisStoreTableInput{ + password: "abcdef123", + useSentinel: true, + setSentinelAddr: true, + setMasterName: true, + + opts: &options.Options{ + Session: options.SessionOptions{ + Type: options.RedisSessionStoreType, + Redis: options.RedisStoreOptions{ + Password: "abcdef123", + UseSentinel: true, + }, + }, + }, + errStrings: []string{}, + }), + Entry("failed connection to sentinel redis with wrong password", &redisStoreTableInput{ + password: "abcdef123", + useSentinel: true, + setSentinelAddr: true, + setMasterName: true, + + opts: &options.Options{ + Session: options.SessionOptions{ + Type: options.RedisSessionStoreType, + Redis: options.RedisStoreOptions{ + Password: "zyxwtuv987", + UseSentinel: true, + }, + }, + }, + errStrings: []string{invalidPasswordSetMsg, invalidPasswordDelMsg}, + }), + Entry("failed connection to sentinel redis with wrong master name", &redisStoreTableInput{ + useSentinel: true, + setSentinelAddr: true, + + opts: &options.Options{ + Session: options.SessionOptions{ + Type: options.RedisSessionStoreType, + Redis: options.RedisStoreOptions{ + UseSentinel: true, + SentinelMasterName: "WRONG", + }, + }, + }, + errStrings: []string{unreachableSentinelSetMsg, unrechableSentinelDelMsg}, + }), + Entry("failed connection to sentinel redis with wrong address", &redisStoreTableInput{ + useSentinel: true, + setMasterName: true, + + opts: &options.Options{ + Session: options.SessionOptions{ + Type: options.RedisSessionStoreType, + Redis: options.RedisStoreOptions{ + UseSentinel: true, + SentinelConnectionURLs: []string{"redis://127.0.0.1:65535"}, + }, + }, + }, + errStrings: []string{unreachableSentinelSetMsg, unrechableSentinelDelMsg}, + }), + Entry("sentinel and cluster both enabled fails", &redisStoreTableInput{ + opts: &options.Options{ + Session: options.SessionOptions{ + Type: options.RedisSessionStoreType, + Redis: options.RedisStoreOptions{ + UseSentinel: true, + UseCluster: true, + }, + }, + }, + errStrings: []string{clusterAndSentinelMsg}, + }), + ) +}) From 3371284a3698378147eff32e073b350218b586da Mon Sep 17 00:00:00 2001 From: Nick Meves Date: Wed, 23 Sep 2020 15:55:22 -0700 Subject: [PATCH 05/16] Remove GetPreferredUsername method from Provider interface It isn't used in any providers and we have future plans to remove the specialness of PreferredUsername and make it an optional field in the session. User, Email & Groups will eventually be the only first class fields on the session that are always set. --- oauthproxy.go | 7 ------- providers/provider_default.go | 5 ----- providers/providers.go | 1 - 3 files changed, 13 deletions(-) diff --git a/oauthproxy.go b/oauthproxy.go index 17d106d5d1..b3b3cbe608 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -310,13 +310,6 @@ func (p *OAuthProxy) redeemCode(ctx context.Context, host, code string) (s *sess s.Email, err = p.provider.GetEmailAddress(ctx, s) } - if s.PreferredUsername == "" { - s.PreferredUsername, err = p.provider.GetPreferredUsername(ctx, s) - if err != nil && err.Error() == "not implemented" { - err = nil - } - } - if s.User == "" { s.User, err = p.provider.GetUserName(ctx, s) if err != nil && err.Error() == "not implemented" { diff --git a/providers/provider_default.go b/providers/provider_default.go index 58e1b4fc88..ba05a96c8c 100644 --- a/providers/provider_default.go +++ b/providers/provider_default.go @@ -104,11 +104,6 @@ func (p *ProviderData) GetUserName(ctx context.Context, s *sessions.SessionState return "", errors.New("not implemented") } -// GetPreferredUsername returns the Account preferred username -func (p *ProviderData) GetPreferredUsername(ctx context.Context, s *sessions.SessionState) (string, error) { - return "", errors.New("not implemented") -} - // ValidateGroup validates that the provided email exists in the configured provider // email group(s). func (p *ProviderData) ValidateGroup(email string) bool { diff --git a/providers/providers.go b/providers/providers.go index a52eff9081..eefc599491 100644 --- a/providers/providers.go +++ b/providers/providers.go @@ -12,7 +12,6 @@ type Provider interface { Data() *ProviderData GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error) GetUserName(ctx context.Context, s *sessions.SessionState) (string, error) - GetPreferredUsername(ctx context.Context, s *sessions.SessionState) (string, error) Redeem(ctx context.Context, redirectURI, code string) (*sessions.SessionState, error) ValidateGroup(string) bool ValidateSessionState(ctx context.Context, s *sessions.SessionState) bool From e0d915cc0347c8d026baa6bad205d7cc5564d932 Mon Sep 17 00:00:00 2001 From: Nick Meves Date: Wed, 23 Sep 2020 16:04:54 -0700 Subject: [PATCH 06/16] Stop shadowing GetEmailAddress errors in redeemCode --- CHANGELOG.md | 1 + oauthproxy.go | 16 ++++++++++------ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4919b34a27..5e4ec5bf9a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ - [#575](https://github.com/oauth2-proxy/oauth2-proxy/pull/575) Stop accepting legacy SHA1 signed cookies (@NickMeves) - [#722](https://github.com/oauth2-proxy/oauth2-proxy/pull/722) Validate Redis configuration options at startup (@NickMeves) +- [#791](https://github.com/oauth2-proxy/oauth2-proxy/pull/791) Remove GetPreferredUsername method from provider interface (@NickMeves) - [#764](https://github.com/oauth2-proxy/oauth2-proxy/pull/764) Document bcrypt encryption for htpasswd (and hide SHA) (@lentzi90) - [#616](https://github.com/oauth2-proxy/oauth2-proxy/pull/616) Add support to ensure user belongs in required groups when using the OIDC provider (@stefansedich) diff --git a/oauthproxy.go b/oauthproxy.go index b3b3cbe608..0f69caabf7 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -296,27 +296,31 @@ func (p *OAuthProxy) GetRedirectURI(host string) string { return u.String() } -func (p *OAuthProxy) redeemCode(ctx context.Context, host, code string) (s *sessionsapi.SessionState, err error) { +func (p *OAuthProxy) redeemCode(ctx context.Context, host, code string) (*sessionsapi.SessionState, error) { if code == "" { return nil, errors.New("missing code") } redirectURI := p.GetRedirectURI(host) - s, err = p.provider.Redeem(ctx, redirectURI, code) + s, err := p.provider.Redeem(ctx, redirectURI, code) if err != nil { - return + return nil, err } if s.Email == "" { s.Email, err = p.provider.GetEmailAddress(ctx, s) + if err != nil && err.Error() != "not implemented" { + return nil, err + } } if s.User == "" { s.User, err = p.provider.GetUserName(ctx, s) - if err != nil && err.Error() == "not implemented" { - err = nil + if err != nil && err.Error() != "not implemented" { + return nil, err } } - return + + return s, nil } // MakeCSRFCookie creates a cookie for CSRF From 8cbf9219bc0e93e9d0e62705d2195e802b60b23f Mon Sep 17 00:00:00 2001 From: Alexander Block Date: Mon, 13 Jul 2020 14:24:04 +0200 Subject: [PATCH 07/16] Pass resource parameter in login url --- providers/provider_default.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/providers/provider_default.go b/providers/provider_default.go index ba05a96c8c..f20fe687bb 100644 --- a/providers/provider_default.go +++ b/providers/provider_default.go @@ -90,6 +90,9 @@ func (p *ProviderData) GetLoginURL(redirectURI, state string) string { params.Set("client_id", p.ClientID) params.Set("response_type", "code") params.Add("state", state) + if p.ProtectedResource != nil && p.ProtectedResource.String() != "" { + params.Add("resource", p.ProtectedResource.String()) + } a.RawQuery = params.Encode() return a.String() } From 017b9bcfb7f387c44e158be02f6d405e66e07228 Mon Sep 17 00:00:00 2001 From: Alexander Block Date: Thu, 10 Sep 2020 10:30:05 +0200 Subject: [PATCH 08/16] Add unit test for protected resources --- providers/provider_default_test.go | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/providers/provider_default_test.go b/providers/provider_default_test.go index 74d7096f92..e699a68ed1 100644 --- a/providers/provider_default_test.go +++ b/providers/provider_default_test.go @@ -47,3 +47,21 @@ func TestAcrValuesConfigured(t *testing.T) { result := p.GetLoginURL("https://my.test.app/oauth", "") assert.Contains(t, result, "acr_values=testValue") } + +func TestProtectedResourceConfigured(t *testing.T) { + p := &ProviderData{ + LoginURL: &url.URL{ + Scheme: "http", + Host: "my.test.idp", + Path: "/oauth/authorize", + }, + AcrValues: "testValue", + ProtectedResource: &url.URL{ + Scheme: "http", + Host: "my.resource.test", + }, + } + + result := p.GetLoginURL("https://my.test.app/oauth", "") + assert.Contains(t, result, "resource="+url.QueryEscape("http://my.resource.test")) +} From 97e95fd4ffe4887fe2a334d78c0279d2f30d46a5 Mon Sep 17 00:00:00 2001 From: Alexander Block Date: Mon, 14 Sep 2020 13:22:53 +0200 Subject: [PATCH 09/16] Move actual implementation of default provider GetLoginURL into DefaultGetLoginURL This allows us to reuse code from different providers in case slight modifications to the URL are needed. --- providers/provider_default.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/providers/provider_default.go b/providers/provider_default.go index f20fe687bb..6e898a84e4 100644 --- a/providers/provider_default.go +++ b/providers/provider_default.go @@ -73,8 +73,7 @@ func (p *ProviderData) Redeem(ctx context.Context, redirectURL, code string) (s return } -// GetLoginURL with typical oauth parameters -func (p *ProviderData) GetLoginURL(redirectURI, state string) string { +func DefaultGetLoginURL(p *ProviderData, redirectURI, state string) (url.URL, url.Values) { a := *p.LoginURL params, _ := url.ParseQuery(a.RawQuery) params.Set("redirect_uri", redirectURI) @@ -93,6 +92,12 @@ func (p *ProviderData) GetLoginURL(redirectURI, state string) string { if p.ProtectedResource != nil && p.ProtectedResource.String() != "" { params.Add("resource", p.ProtectedResource.String()) } + return a, params +} + +// GetLoginURL with typical oauth parameters +func (p *ProviderData) GetLoginURL(redirectURI, state string) string { + a, params := DefaultGetLoginURL(p, redirectURI, state) a.RawQuery = params.Encode() return a.String() } From fde09bea4ec847d4611836d657215cfc60dbc2ef Mon Sep 17 00:00:00 2001 From: Alexander Block Date: Mon, 14 Sep 2020 13:48:17 +0200 Subject: [PATCH 10/16] Move azure specific resource parameter handling into azure provider --- providers/azure.go | 9 +++++++++ providers/azure_test.go | 7 +++++++ providers/provider_default.go | 3 --- providers/provider_default_test.go | 18 ------------------ 4 files changed, 16 insertions(+), 21 deletions(-) diff --git a/providers/azure.go b/providers/azure.go index 0ae0cba6ed..c9940d619c 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -210,3 +210,12 @@ func (p *AzureProvider) GetEmailAddress(ctx context.Context, s *sessions.Session return email, err } + +func (p *AzureProvider) GetLoginURL(redirectURI, state string) string { + a, params := DefaultGetLoginURL(p.ProviderData, redirectURI, state) + if p.ProtectedResource != nil && p.ProtectedResource.String() != "" { + params.Add("resource", p.ProtectedResource.String()) + } + a.RawQuery = params.Encode() + return a.String() +} diff --git a/providers/azure_test.go b/providers/azure_test.go index fe9bbb4238..6e2e4e9730 100644 --- a/providers/azure_test.go +++ b/providers/azure_test.go @@ -213,3 +213,10 @@ func TestAzureProviderRedeemReturnsIdToken(t *testing.T) { assert.Equal(t, timestamp, s.ExpiresOn.UTC()) assert.Equal(t, "refresh1234", s.RefreshToken) } + +func TestAzureProviderProtectedResourceConfigured(t *testing.T) { + p := testAzureProvider("") + p.ProtectedResource, _ = url.Parse("http://my.resource.test") + result := p.GetLoginURL("https://my.test.app/oauth", "") + assert.Contains(t, result, "resource="+url.QueryEscape("http://my.resource.test")) +} diff --git a/providers/provider_default.go b/providers/provider_default.go index 6e898a84e4..65c7f72929 100644 --- a/providers/provider_default.go +++ b/providers/provider_default.go @@ -89,9 +89,6 @@ func DefaultGetLoginURL(p *ProviderData, redirectURI, state string) (url.URL, ur params.Set("client_id", p.ClientID) params.Set("response_type", "code") params.Add("state", state) - if p.ProtectedResource != nil && p.ProtectedResource.String() != "" { - params.Add("resource", p.ProtectedResource.String()) - } return a, params } diff --git a/providers/provider_default_test.go b/providers/provider_default_test.go index e699a68ed1..74d7096f92 100644 --- a/providers/provider_default_test.go +++ b/providers/provider_default_test.go @@ -47,21 +47,3 @@ func TestAcrValuesConfigured(t *testing.T) { result := p.GetLoginURL("https://my.test.app/oauth", "") assert.Contains(t, result, "acr_values=testValue") } - -func TestProtectedResourceConfigured(t *testing.T) { - p := &ProviderData{ - LoginURL: &url.URL{ - Scheme: "http", - Host: "my.test.idp", - Path: "/oauth/authorize", - }, - AcrValues: "testValue", - ProtectedResource: &url.URL{ - Scheme: "http", - Host: "my.resource.test", - }, - } - - result := p.GetLoginURL("https://my.test.app/oauth", "") - assert.Contains(t, result, "resource="+url.QueryEscape("http://my.resource.test")) -} From 9a64e67d5bacf69ee8ec363842aa652260ff3fa4 Mon Sep 17 00:00:00 2001 From: Alexander Block Date: Mon, 14 Sep 2020 13:55:47 +0200 Subject: [PATCH 11/16] De-duplicate code in GetLoginURL of in logingov provider Also add unit test to ensure logingov specific logic is applied. --- providers/logingov.go | 18 +++++------------- providers/logingov_test.go | 7 +++++++ 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/providers/logingov.go b/providers/logingov.go index c524741fa7..e631237cae 100644 --- a/providers/logingov.go +++ b/providers/logingov.go @@ -225,19 +225,11 @@ func (p *LoginGovProvider) Redeem(ctx context.Context, redirectURL, code string) // GetLoginURL overrides GetLoginURL to add login.gov parameters func (p *LoginGovProvider) GetLoginURL(redirectURI, state string) string { - a := *p.LoginURL - params, _ := url.ParseQuery(a.RawQuery) - params.Set("redirect_uri", redirectURI) - params.Set("approval_prompt", p.ApprovalPrompt) - params.Add("scope", p.Scope) - params.Set("client_id", p.ClientID) - params.Set("response_type", "code") - params.Add("state", state) - acr := p.AcrValues - if acr == "" { - acr = "http://idmanagement.gov/ns/assurance/loa/1" - } - params.Add("acr_values", acr) + a, params := DefaultGetLoginURL(p.ProviderData, redirectURI, state) + if p.AcrValues == "" { + acr := "http://idmanagement.gov/ns/assurance/loa/1" + params.Add("acr_values", acr) + } params.Add("nonce", p.Nonce) a.RawQuery = params.Encode() return a.String() diff --git a/providers/logingov_test.go b/providers/logingov_test.go index 2c0f835701..0b70190b57 100644 --- a/providers/logingov_test.go +++ b/providers/logingov_test.go @@ -289,3 +289,10 @@ func TestLoginGovProviderBadNonce(t *testing.T) { // The "badfakenonce" in the idtoken above should cause this to error out assert.Error(t, err) } + +func TestLoginGovProviderGetLoginURL(t *testing.T) { + p, _, _ := newLoginGovProvider() + result := p.GetLoginURL("http://redirect/", "") + assert.Contains(t, result, "acr_values="+url.QueryEscape("http://idmanagement.gov/ns/assurance/loa/1")) + assert.Contains(t, result, "nonce=fakenonce") +} From 4eb96126799c8dc7288873db4d814fb91de9f7e9 Mon Sep 17 00:00:00 2001 From: Alexander Block Date: Tue, 15 Sep 2020 10:12:25 +0200 Subject: [PATCH 12/16] Move DefaultGetLoginURL into util.go --- providers/azure.go | 2 +- providers/logingov.go | 2 +- providers/provider_default.go | 21 +-------------------- providers/util.go | 20 ++++++++++++++++++++ 4 files changed, 23 insertions(+), 22 deletions(-) diff --git a/providers/azure.go b/providers/azure.go index c9940d619c..9103d17859 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -212,7 +212,7 @@ func (p *AzureProvider) GetEmailAddress(ctx context.Context, s *sessions.Session } func (p *AzureProvider) GetLoginURL(redirectURI, state string) string { - a, params := DefaultGetLoginURL(p.ProviderData, redirectURI, state) + a, params := makeLoginURL(p.ProviderData, redirectURI, state) if p.ProtectedResource != nil && p.ProtectedResource.String() != "" { params.Add("resource", p.ProtectedResource.String()) } diff --git a/providers/logingov.go b/providers/logingov.go index e631237cae..32fe1c7849 100644 --- a/providers/logingov.go +++ b/providers/logingov.go @@ -225,7 +225,7 @@ func (p *LoginGovProvider) Redeem(ctx context.Context, redirectURL, code string) // GetLoginURL overrides GetLoginURL to add login.gov parameters func (p *LoginGovProvider) GetLoginURL(redirectURI, state string) string { - a, params := DefaultGetLoginURL(p.ProviderData, redirectURI, state) + a, params := makeLoginURL(p.ProviderData, redirectURI, state) if p.AcrValues == "" { acr := "http://idmanagement.gov/ns/assurance/loa/1" params.Add("acr_values", acr) diff --git a/providers/provider_default.go b/providers/provider_default.go index 65c7f72929..5fc5321948 100644 --- a/providers/provider_default.go +++ b/providers/provider_default.go @@ -73,28 +73,9 @@ func (p *ProviderData) Redeem(ctx context.Context, redirectURL, code string) (s return } -func DefaultGetLoginURL(p *ProviderData, redirectURI, state string) (url.URL, url.Values) { - a := *p.LoginURL - params, _ := url.ParseQuery(a.RawQuery) - params.Set("redirect_uri", redirectURI) - if p.AcrValues != "" { - params.Add("acr_values", p.AcrValues) - } - if p.Prompt != "" { - params.Set("prompt", p.Prompt) - } else { // Legacy variant of the prompt param: - params.Set("approval_prompt", p.ApprovalPrompt) - } - params.Add("scope", p.Scope) - params.Set("client_id", p.ClientID) - params.Set("response_type", "code") - params.Add("state", state) - return a, params -} - // GetLoginURL with typical oauth parameters func (p *ProviderData) GetLoginURL(redirectURI, state string) string { - a, params := DefaultGetLoginURL(p, redirectURI, state) + a, params := makeLoginURL(p, redirectURI, state) a.RawQuery = params.Encode() return a.String() } diff --git a/providers/util.go b/providers/util.go index 374f637e53..5cbc7fb970 100644 --- a/providers/util.go +++ b/providers/util.go @@ -3,6 +3,7 @@ package providers import ( "fmt" "net/http" + "net/url" ) const ( @@ -29,3 +30,22 @@ func makeOIDCHeader(accessToken string) http.Header { } return makeAuthorizationHeader(tokenTypeBearer, accessToken, extraHeaders) } + +func makeLoginURL(p *ProviderData, redirectURI, state string) (url.URL, url.Values) { + a := *p.LoginURL + params, _ := url.ParseQuery(a.RawQuery) + params.Set("redirect_uri", redirectURI) + if p.AcrValues != "" { + params.Add("acr_values", p.AcrValues) + } + if p.Prompt != "" { + params.Set("prompt", p.Prompt) + } else { // Legacy variant of the prompt param: + params.Set("approval_prompt", p.ApprovalPrompt) + } + params.Add("scope", p.Scope) + params.Set("client_id", p.ClientID) + params.Set("response_type", "code") + params.Add("state", state) + return a, params +} From 74918c40d8ba0975f84e101f5d39dc7378acdc51 Mon Sep 17 00:00:00 2001 From: Alexander Block Date: Tue, 15 Sep 2020 10:20:10 +0200 Subject: [PATCH 13/16] Refactor makeLoginURL to accept extraParams And don't require the caller to know how to use the returned params. --- providers/azure.go | 6 +++--- providers/logingov.go | 8 ++++---- providers/provider_default.go | 4 ++-- providers/util.go | 10 ++++++++-- 4 files changed, 17 insertions(+), 11 deletions(-) diff --git a/providers/azure.go b/providers/azure.go index 9103d17859..934f451110 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -212,10 +212,10 @@ func (p *AzureProvider) GetEmailAddress(ctx context.Context, s *sessions.Session } func (p *AzureProvider) GetLoginURL(redirectURI, state string) string { - a, params := makeLoginURL(p.ProviderData, redirectURI, state) + extraParams := url.Values{} if p.ProtectedResource != nil && p.ProtectedResource.String() != "" { - params.Add("resource", p.ProtectedResource.String()) + extraParams.Add("resource", p.ProtectedResource.String()) } - a.RawQuery = params.Encode() + a := makeLoginURL(p.ProviderData, redirectURI, state, extraParams) return a.String() } diff --git a/providers/logingov.go b/providers/logingov.go index 32fe1c7849..a822108fe7 100644 --- a/providers/logingov.go +++ b/providers/logingov.go @@ -225,12 +225,12 @@ func (p *LoginGovProvider) Redeem(ctx context.Context, redirectURL, code string) // GetLoginURL overrides GetLoginURL to add login.gov parameters func (p *LoginGovProvider) GetLoginURL(redirectURI, state string) string { - a, params := makeLoginURL(p.ProviderData, redirectURI, state) + extraParams := url.Values{} if p.AcrValues == "" { acr := "http://idmanagement.gov/ns/assurance/loa/1" - params.Add("acr_values", acr) + extraParams.Add("acr_values", acr) } - params.Add("nonce", p.Nonce) - a.RawQuery = params.Encode() + extraParams.Add("nonce", p.Nonce) + a := makeLoginURL(p.ProviderData, redirectURI, state, extraParams) return a.String() } diff --git a/providers/provider_default.go b/providers/provider_default.go index 5fc5321948..337b284ca5 100644 --- a/providers/provider_default.go +++ b/providers/provider_default.go @@ -75,8 +75,8 @@ func (p *ProviderData) Redeem(ctx context.Context, redirectURL, code string) (s // GetLoginURL with typical oauth parameters func (p *ProviderData) GetLoginURL(redirectURI, state string) string { - a, params := makeLoginURL(p, redirectURI, state) - a.RawQuery = params.Encode() + extraParams := url.Values{} + a := makeLoginURL(p, redirectURI, state, extraParams) return a.String() } diff --git a/providers/util.go b/providers/util.go index 5cbc7fb970..b4b65ac63b 100644 --- a/providers/util.go +++ b/providers/util.go @@ -31,7 +31,7 @@ func makeOIDCHeader(accessToken string) http.Header { return makeAuthorizationHeader(tokenTypeBearer, accessToken, extraHeaders) } -func makeLoginURL(p *ProviderData, redirectURI, state string) (url.URL, url.Values) { +func makeLoginURL(p *ProviderData, redirectURI, state string, extraParams url.Values) url.URL { a := *p.LoginURL params, _ := url.ParseQuery(a.RawQuery) params.Set("redirect_uri", redirectURI) @@ -47,5 +47,11 @@ func makeLoginURL(p *ProviderData, redirectURI, state string) (url.URL, url.Valu params.Set("client_id", p.ClientID) params.Set("response_type", "code") params.Add("state", state) - return a, params + for n, p := range extraParams { + for _, v := range p { + params.Add(n, v) + } + } + a.RawQuery = params.Encode() + return a } From 090eff0197b7c347c95ad9a7461dc771b3432ed7 Mon Sep 17 00:00:00 2001 From: Alexander Block Date: Mon, 21 Sep 2020 09:45:16 +0200 Subject: [PATCH 14/16] Add CHANGELOG.md entries for #753 --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e4ec5bf9a..4bf6315980 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,9 +12,14 @@ ## Breaking Changes - [#722](https://github.com/oauth2-proxy/oauth2-proxy/pull/722) When a Redis session store is configured, OAuth2-Proxy will fail to start up unless connection and health checks to Redis pass +- A bug in the Azure provider prevented it from properly passing the configured protected `--resource` + via the login url. If this option was used in the past, behavior will change with this release as it will + affect the tokens returned by Azure. In the past, the tokens were always for `https://graph.microsoft.com` (the default) + and will now be for the configured resource (if it exists, otherwise it will run into errors) ## Changes since v6.1.1 +- [#753](https://github.com/oauth2-proxy/oauth2-proxy/pull/753) Pass resource parameter in login url (@codablock) - [#575](https://github.com/oauth2-proxy/oauth2-proxy/pull/575) Stop accepting legacy SHA1 signed cookies (@NickMeves) - [#722](https://github.com/oauth2-proxy/oauth2-proxy/pull/722) Validate Redis configuration options at startup (@NickMeves) - [#791](https://github.com/oauth2-proxy/oauth2-proxy/pull/791) Remove GetPreferredUsername method from provider interface (@NickMeves) From d046782f6171dad9ff100e21c8ae60d096d84395 Mon Sep 17 00:00:00 2001 From: Alexander Block Date: Tue, 29 Sep 2020 13:35:40 +0200 Subject: [PATCH 15/16] Add link to #753 in changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4bf6315980..3e1ac92702 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ ## Breaking Changes - [#722](https://github.com/oauth2-proxy/oauth2-proxy/pull/722) When a Redis session store is configured, OAuth2-Proxy will fail to start up unless connection and health checks to Redis pass -- A bug in the Azure provider prevented it from properly passing the configured protected `--resource` +- [#753](https://github.com/oauth2-proxy/oauth2-proxy/pull/753) A bug in the Azure provider prevented it from properly passing the configured protected `--resource` via the login url. If this option was used in the past, behavior will change with this release as it will affect the tokens returned by Azure. In the past, the tokens were always for `https://graph.microsoft.com` (the default) and will now be for the configured resource (if it exists, otherwise it will run into errors) From 3fa42edb7350219d317c4bd47faf5da6192dc70f Mon Sep 17 00:00:00 2001 From: Mitsuo Heijo Date: Wed, 30 Sep 2020 01:44:42 +0900 Subject: [PATCH 16/16] Fix import path for v7 (#800) * fix import path for v7 find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|' * fix module path * go mod tidy * fix installation docs * update CHANGELOG * Update CHANGELOG.md Co-authored-by: Joel Speed Co-authored-by: Joel Speed --- CHANGELOG.md | 4 +++ docs/1_installation.md | 2 +- go.mod | 2 +- go.sum | 6 ---- http.go | 4 +-- http_test.go | 2 +- logging_handler.go | 2 +- logging_handler_test.go | 2 +- main.go | 8 +++--- oauthproxy.go | 28 +++++++++---------- oauthproxy_test.go | 14 +++++----- pkg/apis/middleware/scope.go | 2 +- pkg/apis/middleware/session.go | 2 +- pkg/apis/options/legacy_options.go | 2 +- pkg/apis/options/logging.go | 2 +- pkg/apis/options/options.go | 4 +-- pkg/apis/options/options_suite_test.go | 2 +- pkg/apis/sessions/legacy_v5_tester.go | 2 +- pkg/apis/sessions/session_state.go | 2 +- pkg/apis/sessions/session_state_test.go | 2 +- pkg/authentication/basic/basic_suite_test.go | 2 +- pkg/authentication/basic/htpasswd.go | 2 +- pkg/cookies/cookies.go | 6 ++-- pkg/ip/realclientip.go | 2 +- pkg/ip/realclientip_test.go | 2 +- pkg/logger/logger.go | 2 +- pkg/middleware/basic_session.go | 6 ++-- pkg/middleware/basic_session_test.go | 4 +-- pkg/middleware/jwt_session.go | 6 ++-- pkg/middleware/jwt_session_test.go | 4 +-- pkg/middleware/middleware_suite_test.go | 2 +- pkg/middleware/redirect_to_https.go | 2 +- pkg/middleware/scope.go | 2 +- pkg/middleware/scope_test.go | 2 +- pkg/middleware/stored_session.go | 4 +-- pkg/middleware/stored_session_test.go | 4 +-- pkg/requests/requests_suite_test.go | 2 +- pkg/sessions/cookie/session_store.go | 10 +++---- pkg/sessions/cookie/session_store_test.go | 8 +++--- pkg/sessions/persistence/manager.go | 4 +-- pkg/sessions/persistence/manager_test.go | 6 ++-- .../persistence/persistence_suite_test.go | 2 +- pkg/sessions/persistence/ticket.go | 8 +++--- pkg/sessions/persistence/ticket_test.go | 4 +-- pkg/sessions/redis/redis_store.go | 8 +++--- pkg/sessions/redis/redis_store_test.go | 10 +++---- pkg/sessions/session_store.go | 8 +++--- pkg/sessions/session_store_test.go | 12 ++++---- pkg/sessions/tests/session_store_tests.go | 8 +++--- pkg/upstream/http.go | 2 +- pkg/upstream/http_test.go | 2 +- pkg/upstream/proxy.go | 4 +-- pkg/upstream/proxy_test.go | 2 +- pkg/upstream/upstream_suite_test.go | 2 +- pkg/validation/cookie.go | 4 +-- pkg/validation/cookie_test.go | 2 +- pkg/validation/logging.go | 4 +-- pkg/validation/options.go | 12 ++++---- pkg/validation/options_test.go | 2 +- pkg/validation/sessions.go | 6 ++-- pkg/validation/sessions_test.go | 2 +- pkg/validation/upstreams.go | 2 +- pkg/validation/upstreams_test.go | 2 +- pkg/validation/validation_suite_test.go | 2 +- providers/auth_test.go | 2 +- providers/azure.go | 6 ++-- providers/bitbucket.go | 6 ++-- providers/bitbucket_test.go | 2 +- providers/digitalocean.go | 4 +-- providers/digitalocean_test.go | 2 +- providers/facebook.go | 4 +-- providers/github.go | 6 ++-- providers/github_test.go | 2 +- providers/gitlab.go | 4 +-- providers/gitlab_test.go | 2 +- providers/google.go | 6 ++-- providers/internal_util.go | 4 +-- providers/internal_util_test.go | 2 +- providers/keycloak.go | 6 ++-- providers/keycloak_test.go | 2 +- providers/linkedin.go | 4 +-- providers/linkedin_test.go | 2 +- providers/logingov.go | 4 +-- providers/nextcloud.go | 4 +-- providers/nextcloud_test.go | 2 +- providers/oidc.go | 4 +-- providers/oidc_test.go | 2 +- providers/provider_data.go | 2 +- providers/provider_default.go | 4 +-- providers/provider_default_test.go | 2 +- providers/providers.go | 2 +- templates.go | 2 +- validator.go | 2 +- watcher.go | 2 +- watcher_unsupported.go | 2 +- 95 files changed, 192 insertions(+), 194 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e1ac92702..e49f3e64e3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,9 @@ ## Breaking Changes - [#722](https://github.com/oauth2-proxy/oauth2-proxy/pull/722) When a Redis session store is configured, OAuth2-Proxy will fail to start up unless connection and health checks to Redis pass +- [#800](https://github.com/oauth2-proxy/oauth2-proxy/pull/800) Fix import path for v7. The import path has changed to support the go get installation. + - You can now `go get github.com/oauth2-proxy/oauth2-proxy/v7` to get the latest `v7` version of OAuth2 Proxy + - Import paths for package are now under `v7`, eg `github.com/oauth2-proxy/oauth2-proxy/v7/pkg/` - [#753](https://github.com/oauth2-proxy/oauth2-proxy/pull/753) A bug in the Azure provider prevented it from properly passing the configured protected `--resource` via the login url. If this option was used in the past, behavior will change with this release as it will affect the tokens returned by Azure. In the past, the tokens were always for `https://graph.microsoft.com` (the default) @@ -25,6 +28,7 @@ - [#791](https://github.com/oauth2-proxy/oauth2-proxy/pull/791) Remove GetPreferredUsername method from provider interface (@NickMeves) - [#764](https://github.com/oauth2-proxy/oauth2-proxy/pull/764) Document bcrypt encryption for htpasswd (and hide SHA) (@lentzi90) - [#616](https://github.com/oauth2-proxy/oauth2-proxy/pull/616) Add support to ensure user belongs in required groups when using the OIDC provider (@stefansedich) +- [#800](https://github.com/oauth2-proxy/oauth2-proxy/pull/800) Fix import path for v7 (@johejo) # v6.1.1 diff --git a/docs/1_installation.md b/docs/1_installation.md index 79888db2d4..f2415629e5 100644 --- a/docs/1_installation.md +++ b/docs/1_installation.md @@ -11,7 +11,7 @@ nav_order: 1 a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v6.1.1`) - b. Build with `$ go get github.com/oauth2-proxy/oauth2-proxy` which will put the binary in `$GOROOT/bin` + b. Build with `$ go get github.com/oauth2-proxy/oauth2-proxy/v7` which will put the binary in `$GOPATH/bin` c. Using the prebuilt docker image [quay.io/oauth2-proxy/oauth2-proxy](https://quay.io/oauth2-proxy/oauth2-proxy) (AMD64, ARMv6 and ARM64 tags available) diff --git a/go.mod b/go.mod index b02815a688..7e4d28bf62 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/oauth2-proxy/oauth2-proxy +module github.com/oauth2-proxy/oauth2-proxy/v7 go 1.14 diff --git a/go.sum b/go.sum index 444ed563be..4f4922cfd6 100644 --- a/go.sum +++ b/go.sum @@ -150,15 +150,11 @@ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.12.0 h1:Iw5WCbBcaAAd0fpRb1c9r5YCylv4XDoCSigm1zLevwU= -github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.14.0 h1:2mOpI4JVVPBN+WQRa0WKH2eXR+Ey+uK4n7Zj0aYpIQA= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= -github.com/onsi/gomega v1.9.0 h1:R1uwffexN6Pr340GtYRIdZmAiN4J+iw6WG4wog1DUXg= -github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc= @@ -295,8 +291,6 @@ golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135 h1:5Beo0mZN8dRzgrMMkDp0jc8YXQKx9DiJ2k1dkvGsn5A= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= diff --git a/http.go b/http.go index fd0d6b76b8..48cac1333b 100644 --- a/http.go +++ b/http.go @@ -9,8 +9,8 @@ import ( "strings" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" ) // Server represents an HTTP server diff --git a/http_test.go b/http_test.go index ba516b971d..f4e128430f 100644 --- a/http_test.go +++ b/http_test.go @@ -6,7 +6,7 @@ import ( "testing" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" "github.com/stretchr/testify/assert" ) diff --git a/logging_handler.go b/logging_handler.go index 1c8574135c..6da38c0ace 100644 --- a/logging_handler.go +++ b/logging_handler.go @@ -10,7 +10,7 @@ import ( "net/http" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" ) // responseLogger is wrapper of http.ResponseWriter that keeps track of its HTTP status diff --git a/logging_handler_test.go b/logging_handler_test.go index 5582af83c3..1938c54bb8 100644 --- a/logging_handler_test.go +++ b/logging_handler_test.go @@ -6,7 +6,7 @@ import ( "net/http/httptest" "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" "github.com/stretchr/testify/assert" ) diff --git a/main.go b/main.go index 527d55ad38..8cd3ee5bb3 100644 --- a/main.go +++ b/main.go @@ -11,10 +11,10 @@ import ( "time" "github.com/justinas/alice" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/middleware" - "github.com/oauth2-proxy/oauth2-proxy/pkg/validation" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/middleware" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/validation" ) func main() { diff --git a/oauthproxy.go b/oauthproxy.go index 0f69caabf7..092dcc938c 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -16,20 +16,20 @@ import ( "github.com/coreos/go-oidc" "github.com/justinas/alice" - ipapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/ip" - middlewareapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/middleware" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/authentication/basic" - "github.com/oauth2-proxy/oauth2-proxy/pkg/cookies" - "github.com/oauth2-proxy/oauth2-proxy/pkg/encryption" - "github.com/oauth2-proxy/oauth2-proxy/pkg/ip" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/middleware" - "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/upstream" - "github.com/oauth2-proxy/oauth2-proxy/pkg/util" - "github.com/oauth2-proxy/oauth2-proxy/providers" + ipapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/ip" + middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/authentication/basic" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/cookies" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/ip" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/middleware" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/upstream" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util" + "github.com/oauth2-proxy/oauth2-proxy/v7/providers" ) const ( diff --git a/oauthproxy_test.go b/oauthproxy_test.go index 395df820f7..33f131cda1 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -19,13 +19,13 @@ import ( "github.com/coreos/go-oidc" "github.com/mbland/hmacauth" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - sessionscookie "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/cookie" - "github.com/oauth2-proxy/oauth2-proxy/pkg/upstream" - "github.com/oauth2-proxy/oauth2-proxy/pkg/validation" - "github.com/oauth2-proxy/oauth2-proxy/providers" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + sessionscookie "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions/cookie" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/upstream" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/validation" + "github.com/oauth2-proxy/oauth2-proxy/v7/providers" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/pkg/apis/middleware/scope.go b/pkg/apis/middleware/scope.go index c8153d1a93..37f6f336d6 100644 --- a/pkg/apis/middleware/scope.go +++ b/pkg/apis/middleware/scope.go @@ -1,7 +1,7 @@ package middleware import ( - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" ) // RequestScope contains information regarding the request that is being made. diff --git a/pkg/apis/middleware/session.go b/pkg/apis/middleware/session.go index 344ba31ef6..95a76fba55 100644 --- a/pkg/apis/middleware/session.go +++ b/pkg/apis/middleware/session.go @@ -4,7 +4,7 @@ import ( "context" "github.com/coreos/go-oidc" - sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" ) // TokenToSessionFunc takes a rawIDToken and an idToken and converts it into a diff --git a/pkg/apis/options/legacy_options.go b/pkg/apis/options/legacy_options.go index a2256dafaa..2fe55ddd20 100644 --- a/pkg/apis/options/legacy_options.go +++ b/pkg/apis/options/legacy_options.go @@ -7,7 +7,7 @@ import ( "strings" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" "github.com/spf13/pflag" ) diff --git a/pkg/apis/options/logging.go b/pkg/apis/options/logging.go index b133825e15..1c6f941533 100644 --- a/pkg/apis/options/logging.go +++ b/pkg/apis/options/logging.go @@ -1,7 +1,7 @@ package options import ( - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" "github.com/spf13/pflag" ) diff --git a/pkg/apis/options/options.go b/pkg/apis/options/options.go index e9f506cb66..bcb600e92e 100644 --- a/pkg/apis/options/options.go +++ b/pkg/apis/options/options.go @@ -6,8 +6,8 @@ import ( "regexp" oidc "github.com/coreos/go-oidc" - ipapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/ip" - "github.com/oauth2-proxy/oauth2-proxy/providers" + ipapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/ip" + "github.com/oauth2-proxy/oauth2-proxy/v7/providers" "github.com/spf13/pflag" ) diff --git a/pkg/apis/options/options_suite_test.go b/pkg/apis/options/options_suite_test.go index a25cbe42c8..6e1a05f3c0 100644 --- a/pkg/apis/options/options_suite_test.go +++ b/pkg/apis/options/options_suite_test.go @@ -3,7 +3,7 @@ package options import ( "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) diff --git a/pkg/apis/sessions/legacy_v5_tester.go b/pkg/apis/sessions/legacy_v5_tester.go index 25bc0b0c62..8fab4eae6a 100644 --- a/pkg/apis/sessions/legacy_v5_tester.go +++ b/pkg/apis/sessions/legacy_v5_tester.go @@ -5,7 +5,7 @@ import ( "testing" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/encryption" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption" "github.com/stretchr/testify/assert" ) diff --git a/pkg/apis/sessions/session_state.go b/pkg/apis/sessions/session_state.go index b10c347ae3..c3db8994b1 100644 --- a/pkg/apis/sessions/session_state.go +++ b/pkg/apis/sessions/session_state.go @@ -11,7 +11,7 @@ import ( "time" "unicode/utf8" - "github.com/oauth2-proxy/oauth2-proxy/pkg/encryption" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption" "github.com/pierrec/lz4" "github.com/vmihailenco/msgpack/v4" ) diff --git a/pkg/apis/sessions/session_state_test.go b/pkg/apis/sessions/session_state_test.go index 3100592891..4a91bdecc1 100644 --- a/pkg/apis/sessions/session_state_test.go +++ b/pkg/apis/sessions/session_state_test.go @@ -8,7 +8,7 @@ import ( "testing" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/encryption" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption" . "github.com/onsi/gomega" "github.com/stretchr/testify/assert" ) diff --git a/pkg/authentication/basic/basic_suite_test.go b/pkg/authentication/basic/basic_suite_test.go index 4d5fa806b0..6ba23fc322 100644 --- a/pkg/authentication/basic/basic_suite_test.go +++ b/pkg/authentication/basic/basic_suite_test.go @@ -3,7 +3,7 @@ package basic import ( "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) diff --git a/pkg/authentication/basic/htpasswd.go b/pkg/authentication/basic/htpasswd.go index a0ec9c2295..47a1dd3f14 100644 --- a/pkg/authentication/basic/htpasswd.go +++ b/pkg/authentication/basic/htpasswd.go @@ -9,7 +9,7 @@ import ( "io" "os" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" "golang.org/x/crypto/bcrypt" ) diff --git a/pkg/cookies/cookies.go b/pkg/cookies/cookies.go index 0d4996399d..9b6dc03d4d 100644 --- a/pkg/cookies/cookies.go +++ b/pkg/cookies/cookies.go @@ -7,9 +7,9 @@ import ( "strings" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/util" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util" ) // MakeCookie constructs a cookie from the given parameters, diff --git a/pkg/ip/realclientip.go b/pkg/ip/realclientip.go index b82a3c6ebd..dd99ed5578 100644 --- a/pkg/ip/realclientip.go +++ b/pkg/ip/realclientip.go @@ -6,7 +6,7 @@ import ( "net/http" "strings" - ipapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/ip" + ipapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/ip" ) func GetRealClientIPParser(headerKey string) (ipapi.RealClientIPParser, error) { diff --git a/pkg/ip/realclientip_test.go b/pkg/ip/realclientip_test.go index b24b733b02..810ce7e0e7 100644 --- a/pkg/ip/realclientip_test.go +++ b/pkg/ip/realclientip_test.go @@ -6,7 +6,7 @@ import ( "reflect" "testing" - ipapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/ip" + ipapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/ip" "github.com/stretchr/testify/assert" ) diff --git a/pkg/logger/logger.go b/pkg/logger/logger.go index 901d0a0df7..3d1dced489 100644 --- a/pkg/logger/logger.go +++ b/pkg/logger/logger.go @@ -12,7 +12,7 @@ import ( "text/template" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/util" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util" ) // AuthStatus defines the different types of auth logging that occur diff --git a/pkg/middleware/basic_session.go b/pkg/middleware/basic_session.go index 0226415509..5a7b77f912 100644 --- a/pkg/middleware/basic_session.go +++ b/pkg/middleware/basic_session.go @@ -5,9 +5,9 @@ import ( "net/http" "github.com/justinas/alice" - sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/authentication/basic" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/authentication/basic" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" ) func NewBasicAuthSessionLoader(validator basic.Validator) alice.Constructor { diff --git a/pkg/middleware/basic_session_test.go b/pkg/middleware/basic_session_test.go index 109b09a5d0..35e4f8047a 100644 --- a/pkg/middleware/basic_session_test.go +++ b/pkg/middleware/basic_session_test.go @@ -6,8 +6,8 @@ import ( "net/http" "net/http/httptest" - middlewareapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/middleware" - sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware" + sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" diff --git a/pkg/middleware/jwt_session.go b/pkg/middleware/jwt_session.go index 3f17296d06..024a45acc2 100644 --- a/pkg/middleware/jwt_session.go +++ b/pkg/middleware/jwt_session.go @@ -8,9 +8,9 @@ import ( "github.com/coreos/go-oidc" "github.com/justinas/alice" - middlewareapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/middleware" - sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware" + sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" ) const jwtRegexFormat = `^eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+$` diff --git a/pkg/middleware/jwt_session_test.go b/pkg/middleware/jwt_session_test.go index 5148ad2862..b950373186 100644 --- a/pkg/middleware/jwt_session_test.go +++ b/pkg/middleware/jwt_session_test.go @@ -15,8 +15,8 @@ import ( "github.com/coreos/go-oidc" "github.com/dgrijalva/jwt-go" - middlewareapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/middleware" - sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware" + sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" diff --git a/pkg/middleware/middleware_suite_test.go b/pkg/middleware/middleware_suite_test.go index 204a979819..1a0d2f141d 100644 --- a/pkg/middleware/middleware_suite_test.go +++ b/pkg/middleware/middleware_suite_test.go @@ -4,7 +4,7 @@ import ( "net/http" "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) diff --git a/pkg/middleware/redirect_to_https.go b/pkg/middleware/redirect_to_https.go index 691a0565ff..18b4b967b6 100644 --- a/pkg/middleware/redirect_to_https.go +++ b/pkg/middleware/redirect_to_https.go @@ -7,7 +7,7 @@ import ( "strings" "github.com/justinas/alice" - "github.com/oauth2-proxy/oauth2-proxy/pkg/util" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util" ) const httpsScheme = "https" diff --git a/pkg/middleware/scope.go b/pkg/middleware/scope.go index d5925ad4ed..88719310fc 100644 --- a/pkg/middleware/scope.go +++ b/pkg/middleware/scope.go @@ -5,7 +5,7 @@ import ( "net/http" "github.com/justinas/alice" - middlewareapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/middleware" + middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware" ) type scopeKey string diff --git a/pkg/middleware/scope_test.go b/pkg/middleware/scope_test.go index 5a998bb030..e9533a8dcd 100644 --- a/pkg/middleware/scope_test.go +++ b/pkg/middleware/scope_test.go @@ -5,7 +5,7 @@ import ( "net/http" "net/http/httptest" - middlewareapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/middleware" + middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) diff --git a/pkg/middleware/stored_session.go b/pkg/middleware/stored_session.go index da6de96dc8..6d86e61375 100644 --- a/pkg/middleware/stored_session.go +++ b/pkg/middleware/stored_session.go @@ -8,8 +8,8 @@ import ( "time" "github.com/justinas/alice" - sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" ) // StoredSessionLoaderOptions cotnains all of the requirements to construct diff --git a/pkg/middleware/stored_session_test.go b/pkg/middleware/stored_session_test.go index 1721b3097a..89eadc5d85 100644 --- a/pkg/middleware/stored_session_test.go +++ b/pkg/middleware/stored_session_test.go @@ -8,8 +8,8 @@ import ( "net/http/httptest" "time" - middlewareapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/middleware" - sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware" + sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" diff --git a/pkg/requests/requests_suite_test.go b/pkg/requests/requests_suite_test.go index 83da733ac9..54383ffac6 100644 --- a/pkg/requests/requests_suite_test.go +++ b/pkg/requests/requests_suite_test.go @@ -9,7 +9,7 @@ import ( "net/http/httptest" "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) diff --git a/pkg/sessions/cookie/session_store.go b/pkg/sessions/cookie/session_store.go index 084193344a..461e08ea66 100644 --- a/pkg/sessions/cookie/session_store.go +++ b/pkg/sessions/cookie/session_store.go @@ -8,11 +8,11 @@ import ( "strings" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - pkgcookies "github.com/oauth2-proxy/oauth2-proxy/pkg/cookies" - "github.com/oauth2-proxy/oauth2-proxy/pkg/encryption" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + pkgcookies "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/cookies" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" ) const ( diff --git a/pkg/sessions/cookie/session_store_test.go b/pkg/sessions/cookie/session_store_test.go index a2670c2c7d..5ef9eff1a1 100644 --- a/pkg/sessions/cookie/session_store_test.go +++ b/pkg/sessions/cookie/session_store_test.go @@ -8,10 +8,10 @@ import ( "testing" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/tests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions/tests" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" "github.com/stretchr/testify/assert" diff --git a/pkg/sessions/persistence/manager.go b/pkg/sessions/persistence/manager.go index 4697ad21ad..fc621a81ad 100644 --- a/pkg/sessions/persistence/manager.go +++ b/pkg/sessions/persistence/manager.go @@ -5,8 +5,8 @@ import ( "net/http" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" ) // Manager wraps a Store and handles the implementation details of the diff --git a/pkg/sessions/persistence/manager_test.go b/pkg/sessions/persistence/manager_test.go index c41f246bda..791595bd6c 100644 --- a/pkg/sessions/persistence/manager_test.go +++ b/pkg/sessions/persistence/manager_test.go @@ -3,9 +3,9 @@ package persistence import ( "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/tests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions/tests" . "github.com/onsi/ginkgo" ) diff --git a/pkg/sessions/persistence/persistence_suite_test.go b/pkg/sessions/persistence/persistence_suite_test.go index 34b443d613..57ccc40c43 100644 --- a/pkg/sessions/persistence/persistence_suite_test.go +++ b/pkg/sessions/persistence/persistence_suite_test.go @@ -3,7 +3,7 @@ package persistence import ( "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) diff --git a/pkg/sessions/persistence/ticket.go b/pkg/sessions/persistence/ticket.go index abb786145d..eb3aafc498 100644 --- a/pkg/sessions/persistence/ticket.go +++ b/pkg/sessions/persistence/ticket.go @@ -13,10 +13,10 @@ import ( "strings" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/cookies" - "github.com/oauth2-proxy/oauth2-proxy/pkg/encryption" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/cookies" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption" ) // saveFunc performs a persistent store's save functionality using diff --git a/pkg/sessions/persistence/ticket_test.go b/pkg/sessions/persistence/ticket_test.go index 2e9b8bfcc1..0a121bb071 100644 --- a/pkg/sessions/persistence/ticket_test.go +++ b/pkg/sessions/persistence/ticket_test.go @@ -11,8 +11,8 @@ import ( "testing" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" diff --git a/pkg/sessions/redis/redis_store.go b/pkg/sessions/redis/redis_store.go index dcdf6a27c2..ebd9ad1987 100644 --- a/pkg/sessions/redis/redis_store.go +++ b/pkg/sessions/redis/redis_store.go @@ -8,10 +8,10 @@ import ( "time" "github.com/go-redis/redis/v7" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/persistence" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions/persistence" ) // SessionStore is an implementation of the persistence.Store diff --git a/pkg/sessions/redis/redis_store_test.go b/pkg/sessions/redis/redis_store_test.go index 12daaab65a..d34d007cc8 100644 --- a/pkg/sessions/redis/redis_store_test.go +++ b/pkg/sessions/redis/redis_store_test.go @@ -9,11 +9,11 @@ import ( "github.com/Bose/minisentinel" "github.com/alicebob/miniredis/v2" "github.com/go-redis/redis/v7" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/persistence" - "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/tests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions/persistence" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions/tests" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) diff --git a/pkg/sessions/session_store.go b/pkg/sessions/session_store.go index ba102af84b..3d4b8d9771 100644 --- a/pkg/sessions/session_store.go +++ b/pkg/sessions/session_store.go @@ -3,10 +3,10 @@ package sessions import ( "fmt" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/cookie" - "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/redis" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions/cookie" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions/redis" ) // NewSessionStore creates a SessionStore from the provided configuration diff --git a/pkg/sessions/session_store_test.go b/pkg/sessions/session_store_test.go index 2f8d599203..63dc56e5a4 100644 --- a/pkg/sessions/session_store_test.go +++ b/pkg/sessions/session_store_test.go @@ -6,12 +6,12 @@ import ( "testing" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions" - sessionscookie "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/cookie" - "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/persistence" - "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/redis" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions" + sessionscookie "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions/cookie" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions/persistence" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions/redis" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) diff --git a/pkg/sessions/tests/session_store_tests.go b/pkg/sessions/tests/session_store_tests.go index f23028f32a..df90c7f36f 100644 --- a/pkg/sessions/tests/session_store_tests.go +++ b/pkg/sessions/tests/session_store_tests.go @@ -8,10 +8,10 @@ import ( "strings" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - cookiesapi "github.com/oauth2-proxy/oauth2-proxy/pkg/cookies" - "github.com/oauth2-proxy/oauth2-proxy/pkg/encryption" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + cookiesapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/cookies" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) diff --git a/pkg/upstream/http.go b/pkg/upstream/http.go index 833b139992..88c0afcdc0 100644 --- a/pkg/upstream/http.go +++ b/pkg/upstream/http.go @@ -9,7 +9,7 @@ import ( "time" "github.com/mbland/hmacauth" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" "github.com/yhat/wsutil" ) diff --git a/pkg/upstream/http_test.go b/pkg/upstream/http_test.go index c49c0c35e2..8bfe90875b 100644 --- a/pkg/upstream/http_test.go +++ b/pkg/upstream/http_test.go @@ -13,7 +13,7 @@ import ( "strings" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" diff --git a/pkg/upstream/proxy.go b/pkg/upstream/proxy.go index 9197944b33..80d4b4d517 100644 --- a/pkg/upstream/proxy.go +++ b/pkg/upstream/proxy.go @@ -6,8 +6,8 @@ import ( "net/http" "net/url" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" ) // ProxyErrorHandler is a function that will be used to render error pages when diff --git a/pkg/upstream/proxy_test.go b/pkg/upstream/proxy_test.go index 945fb665bf..31b7bfa611 100644 --- a/pkg/upstream/proxy_test.go +++ b/pkg/upstream/proxy_test.go @@ -8,7 +8,7 @@ import ( "net/http" "net/http/httptest" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" diff --git a/pkg/upstream/upstream_suite_test.go b/pkg/upstream/upstream_suite_test.go index 7d8c2ba47c..581a4cf2dd 100644 --- a/pkg/upstream/upstream_suite_test.go +++ b/pkg/upstream/upstream_suite_test.go @@ -11,7 +11,7 @@ import ( "path" "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" "golang.org/x/net/websocket" diff --git a/pkg/validation/cookie.go b/pkg/validation/cookie.go index 2d5a557af5..2984ac2e0c 100644 --- a/pkg/validation/cookie.go +++ b/pkg/validation/cookie.go @@ -5,8 +5,8 @@ import ( "net/http" "sort" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/encryption" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption" ) func validateCookie(o options.Cookie) []string { diff --git a/pkg/validation/cookie_test.go b/pkg/validation/cookie_test.go index ac2e7951a6..b756daa8fa 100644 --- a/pkg/validation/cookie_test.go +++ b/pkg/validation/cookie_test.go @@ -5,7 +5,7 @@ import ( "testing" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" . "github.com/onsi/gomega" ) diff --git a/pkg/validation/logging.go b/pkg/validation/logging.go index 2ad7aba324..c291405c3b 100644 --- a/pkg/validation/logging.go +++ b/pkg/validation/logging.go @@ -3,8 +3,8 @@ package validation import ( "os" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" "gopkg.in/natefinch/lumberjack.v2" ) diff --git a/pkg/validation/options.go b/pkg/validation/options.go index 9964d2d863..12631eb977 100644 --- a/pkg/validation/options.go +++ b/pkg/validation/options.go @@ -15,12 +15,12 @@ import ( "github.com/coreos/go-oidc" "github.com/dgrijalva/jwt-go" "github.com/mbland/hmacauth" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/ip" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" - "github.com/oauth2-proxy/oauth2-proxy/pkg/util" - "github.com/oauth2-proxy/oauth2-proxy/providers" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/ip" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util" + "github.com/oauth2-proxy/oauth2-proxy/v7/providers" ) // Validate checks that required options are set and validates those that they diff --git a/pkg/validation/options_test.go b/pkg/validation/options_test.go index 8c9a892f08..1f418f82c8 100644 --- a/pkg/validation/options_test.go +++ b/pkg/validation/options_test.go @@ -10,7 +10,7 @@ import ( "testing" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" "github.com/stretchr/testify/assert" ) diff --git a/pkg/validation/sessions.go b/pkg/validation/sessions.go index 1d61b92c29..8cacd48bf2 100644 --- a/pkg/validation/sessions.go +++ b/pkg/validation/sessions.go @@ -5,9 +5,9 @@ import ( "fmt" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" - "github.com/oauth2-proxy/oauth2-proxy/pkg/encryption" - "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/redis" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions/redis" ) func validateSessionCookieMinimal(o *options.Options) []string { diff --git a/pkg/validation/sessions_test.go b/pkg/validation/sessions_test.go index edd06acfcb..68fac8e108 100644 --- a/pkg/validation/sessions_test.go +++ b/pkg/validation/sessions_test.go @@ -5,7 +5,7 @@ import ( "github.com/Bose/minisentinel" "github.com/alicebob/miniredis/v2" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" diff --git a/pkg/validation/upstreams.go b/pkg/validation/upstreams.go index 2b491a5d44..5cfe0b1ea5 100644 --- a/pkg/validation/upstreams.go +++ b/pkg/validation/upstreams.go @@ -5,7 +5,7 @@ import ( "net/url" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" ) func validateUpstreams(upstreams options.Upstreams) []string { diff --git a/pkg/validation/upstreams_test.go b/pkg/validation/upstreams_test.go index 86f3da6613..6b8f98290b 100644 --- a/pkg/validation/upstreams_test.go +++ b/pkg/validation/upstreams_test.go @@ -3,7 +3,7 @@ package validation import ( "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" diff --git a/pkg/validation/validation_suite_test.go b/pkg/validation/validation_suite_test.go index 2c6458fecd..c613360a49 100644 --- a/pkg/validation/validation_suite_test.go +++ b/pkg/validation/validation_suite_test.go @@ -3,7 +3,7 @@ package validation import ( "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) diff --git a/providers/auth_test.go b/providers/auth_test.go index 55b98a0fb7..2ece923e8c 100644 --- a/providers/auth_test.go +++ b/providers/auth_test.go @@ -5,7 +5,7 @@ import ( "net/http" "net/url" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" ) var authorizedAccessToken = "imaginary_access_token" diff --git a/providers/azure.go b/providers/azure.go index 934f451110..234aaff279 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -9,9 +9,9 @@ import ( "time" "github.com/bitly/go-simplejson" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" ) // AzureProvider represents an Azure based Identity Provider diff --git a/providers/bitbucket.go b/providers/bitbucket.go index 56f2aa248d..2612a4ba98 100644 --- a/providers/bitbucket.go +++ b/providers/bitbucket.go @@ -5,9 +5,9 @@ import ( "net/url" "strings" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" ) // BitbucketProvider represents an Bitbucket based Identity Provider diff --git a/providers/bitbucket_test.go b/providers/bitbucket_test.go index 917cf4cadc..22ceda572e 100644 --- a/providers/bitbucket_test.go +++ b/providers/bitbucket_test.go @@ -8,7 +8,7 @@ import ( "net/url" "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" . "github.com/onsi/gomega" "github.com/stretchr/testify/assert" ) diff --git a/providers/digitalocean.go b/providers/digitalocean.go index c88533e835..94b2ea9001 100644 --- a/providers/digitalocean.go +++ b/providers/digitalocean.go @@ -5,8 +5,8 @@ import ( "errors" "net/url" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" ) // DigitalOceanProvider represents a DigitalOcean based Identity Provider diff --git a/providers/digitalocean_test.go b/providers/digitalocean_test.go index 4c8d2a1db4..6e10468f67 100644 --- a/providers/digitalocean_test.go +++ b/providers/digitalocean_test.go @@ -7,7 +7,7 @@ import ( "net/url" "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" . "github.com/onsi/gomega" "github.com/stretchr/testify/assert" ) diff --git a/providers/facebook.go b/providers/facebook.go index 7bbc0b45f0..d2ae132d5f 100644 --- a/providers/facebook.go +++ b/providers/facebook.go @@ -5,8 +5,8 @@ import ( "errors" "net/url" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" ) // FacebookProvider represents an Facebook based Identity Provider diff --git a/providers/github.go b/providers/github.go index 4004a88179..40d30799c3 100644 --- a/providers/github.go +++ b/providers/github.go @@ -11,9 +11,9 @@ import ( "strconv" "strings" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" ) // GitHubProvider represents an GitHub based Identity Provider diff --git a/providers/github_test.go b/providers/github_test.go index ab2bb04eea..dba4bcf6d4 100644 --- a/providers/github_test.go +++ b/providers/github_test.go @@ -7,7 +7,7 @@ import ( "net/url" "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" . "github.com/onsi/gomega" "github.com/stretchr/testify/assert" ) diff --git a/providers/gitlab.go b/providers/gitlab.go index 5836e3d6f5..ee15a48642 100644 --- a/providers/gitlab.go +++ b/providers/gitlab.go @@ -7,8 +7,8 @@ import ( "time" oidc "github.com/coreos/go-oidc" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" "golang.org/x/oauth2" ) diff --git a/providers/gitlab_test.go b/providers/gitlab_test.go index 939d634e4f..21bd04f747 100644 --- a/providers/gitlab_test.go +++ b/providers/gitlab_test.go @@ -7,7 +7,7 @@ import ( "net/url" "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" "github.com/stretchr/testify/assert" ) diff --git a/providers/google.go b/providers/google.go index d69a09d358..97d1312e29 100644 --- a/providers/google.go +++ b/providers/google.go @@ -13,9 +13,9 @@ import ( "strings" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" "golang.org/x/oauth2/google" admin "google.golang.org/api/admin/directory/v1" "google.golang.org/api/googleapi" diff --git a/providers/internal_util.go b/providers/internal_util.go index b5c2b2844e..346ee80dcf 100644 --- a/providers/internal_util.go +++ b/providers/internal_util.go @@ -5,8 +5,8 @@ import ( "net/http" "net/url" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" ) // stripToken is a helper function to obfuscate "access_token" diff --git a/providers/internal_util_test.go b/providers/internal_util_test.go index 03579c011f..991243a11e 100644 --- a/providers/internal_util_test.go +++ b/providers/internal_util_test.go @@ -8,7 +8,7 @@ import ( "net/url" "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" "github.com/stretchr/testify/assert" ) diff --git a/providers/keycloak.go b/providers/keycloak.go index 95f907202a..60b3eacaa3 100644 --- a/providers/keycloak.go +++ b/providers/keycloak.go @@ -4,9 +4,9 @@ import ( "context" "net/url" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" ) type KeycloakProvider struct { diff --git a/providers/keycloak_test.go b/providers/keycloak_test.go index 856d2a22a1..3f419f2ee6 100644 --- a/providers/keycloak_test.go +++ b/providers/keycloak_test.go @@ -7,7 +7,7 @@ import ( "net/url" "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" . "github.com/onsi/gomega" "github.com/stretchr/testify/assert" ) diff --git a/providers/linkedin.go b/providers/linkedin.go index 99613e43e3..4a45cfe08d 100644 --- a/providers/linkedin.go +++ b/providers/linkedin.go @@ -6,8 +6,8 @@ import ( "net/http" "net/url" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" ) // LinkedInProvider represents an LinkedIn based Identity Provider diff --git a/providers/linkedin_test.go b/providers/linkedin_test.go index ffbb8b7368..1ba0c18468 100644 --- a/providers/linkedin_test.go +++ b/providers/linkedin_test.go @@ -7,7 +7,7 @@ import ( "net/url" "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" . "github.com/onsi/gomega" "github.com/stretchr/testify/assert" ) diff --git a/providers/logingov.go b/providers/logingov.go index a822108fe7..ff48ccc5d8 100644 --- a/providers/logingov.go +++ b/providers/logingov.go @@ -11,8 +11,8 @@ import ( "time" "github.com/dgrijalva/jwt-go" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" "gopkg.in/square/go-jose.v2" ) diff --git a/providers/nextcloud.go b/providers/nextcloud.go index a7498073b2..4a074d6a91 100644 --- a/providers/nextcloud.go +++ b/providers/nextcloud.go @@ -4,8 +4,8 @@ import ( "context" "fmt" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" ) // NextcloudProvider represents an Nextcloud based Identity Provider diff --git a/providers/nextcloud_test.go b/providers/nextcloud_test.go index ac93d87765..cd26885fd3 100644 --- a/providers/nextcloud_test.go +++ b/providers/nextcloud_test.go @@ -7,7 +7,7 @@ import ( "net/url" "testing" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" "github.com/stretchr/testify/assert" ) diff --git a/providers/oidc.go b/providers/oidc.go index 7162740f31..24221caaf8 100644 --- a/providers/oidc.go +++ b/providers/oidc.go @@ -9,8 +9,8 @@ import ( oidc "github.com/coreos/go-oidc" "golang.org/x/oauth2" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" ) const emailClaim = "email" diff --git a/providers/oidc_test.go b/providers/oidc_test.go index 5e91418b76..5b88b9a70f 100644 --- a/providers/oidc_test.go +++ b/providers/oidc_test.go @@ -20,7 +20,7 @@ import ( "github.com/stretchr/testify/assert" "golang.org/x/oauth2" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" ) const accessToken = "access_token" diff --git a/providers/provider_data.go b/providers/provider_data.go index 78aee68774..5fce04ec91 100644 --- a/providers/provider_data.go +++ b/providers/provider_data.go @@ -5,7 +5,7 @@ import ( "io/ioutil" "net/url" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" ) // ProviderData contains information required to configure all implementations diff --git a/providers/provider_default.go b/providers/provider_default.go index 337b284ca5..8a5a98acc8 100644 --- a/providers/provider_default.go +++ b/providers/provider_default.go @@ -10,8 +10,8 @@ import ( "github.com/coreos/go-oidc" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" - "github.com/oauth2-proxy/oauth2-proxy/pkg/requests" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" ) var _ Provider = (*ProviderData)(nil) diff --git a/providers/provider_default_test.go b/providers/provider_default_test.go index 74d7096f92..8597ac6614 100644 --- a/providers/provider_default_test.go +++ b/providers/provider_default_test.go @@ -6,7 +6,7 @@ import ( "testing" "time" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" "github.com/stretchr/testify/assert" ) diff --git a/providers/providers.go b/providers/providers.go index eefc599491..e92b3293f0 100644 --- a/providers/providers.go +++ b/providers/providers.go @@ -4,7 +4,7 @@ import ( "context" "github.com/coreos/go-oidc" - "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" ) // Provider represents an upstream identity provider implementation diff --git a/templates.go b/templates.go index 39e9e14ef3..04aae44c29 100644 --- a/templates.go +++ b/templates.go @@ -5,7 +5,7 @@ import ( "path" "strings" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" ) func loadTemplates(dir string) *template.Template { diff --git a/validator.go b/validator.go index e02a25365d..71f32a2dc8 100644 --- a/validator.go +++ b/validator.go @@ -9,7 +9,7 @@ import ( "sync/atomic" "unsafe" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" ) // UserMap holds information from the authenticated emails file diff --git a/watcher.go b/watcher.go index 642cb36da7..edf1d9bd46 100644 --- a/watcher.go +++ b/watcher.go @@ -9,7 +9,7 @@ import ( "github.com/fsnotify/fsnotify" - "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" ) // WaitForReplacement waits for a file to exist on disk and then starts a watch diff --git a/watcher_unsupported.go b/watcher_unsupported.go index 986cc462e7..4c5a7209ac 100644 --- a/watcher_unsupported.go +++ b/watcher_unsupported.go @@ -2,7 +2,7 @@ package main -import "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" +import "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" func WatchForUpdates(filename string, done <-chan bool, action func()) { logger.Errorf("file watching not implemented on this platform")