Merge branch 'master' into feature/release-automation

tuunit · Oct 31, 2023 · c101f05 · c101f05
2 parents a9d81ee + 66a81e6
commit c101f05
Show file tree

Hide file tree

Showing 64 changed files with 1,876 additions and 1,456 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -23,3 +23,4 @@
 - [ ] My change requires a change to the documentation or CHANGELOG.
 - [ ] I have updated the documentation/CHANGELOG accordingly.
 - [ ] I have created a feature (non-master) branch for my PR.
+- [ ] I have written tests for my code changes.
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -0,0 +1,21 @@
+go:
+  - '**/*.go'
+
+docs:
+  - '**/*.md'
+
+changelog:
+  - 'CHANGELOG.md'
+
+tests:
+  - '**/*_test.go'
+
+provider:
+  - 'providers/**/*'
+
+dependencies:
+  - 'go.mod'
+  - 'go.sum'
+
+docker:
+  - '**/Dockerfile'
diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml
@@ -0,0 +1,15 @@
+name: "Pull Request Labeler"
+on:
+  pull_request_target:
+
+jobs:
+  triage:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@v4
+        with:
+          sync: true
+          dot: true
diff --git a/.golangci.yml b/.golangci.yml
@@ -3,19 +3,15 @@ run:
 linters:
   enable:
     - govet
-    - golint
     - ineffassign
     - goconst
-    - deadcode
     - gofmt
     - goimports
     - gosec
     - gosimple
     - staticcheck
-    - structcheck
     - typecheck
     - unused
-    - varcheck
     - bodyclose
     - dogsled
     - goprintffuncname
@@ -25,6 +21,7 @@ linters:
     - stylecheck
     - unconvert
     - gocritic
+    - revive
   disable-all: true
 issues:
   exclude-rules:
@@ -38,6 +35,6 @@ issues:
     # If we have tests in shared test folders, these can be less strictly linted
     - path: tests/.*_tests\.go
       linters:
-        - golint
+        - revive
         - bodyclose
         - stylecheck
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,8 +7,14 @@
 ## Breaking Changes
 
 ## Changes since v7.5.1
-- [#2128](https://github.com/oauth2-proxy/oauth2-proxy/pull/2128) Update dependencies (@vllvll)
 
+- [#2237](https://github.com/oauth2-proxy/oauth2-proxy/pull/2237) adds an option to append CA certificates (@emsixteeen)
+- [#2128](https://github.com/oauth2-proxy/oauth2-proxy/pull/2128) Update dependencies (@vllvll)
+- [#2274](https://github.com/oauth2-proxy/oauth2-proxy/pull/2274) Upgrade golang.org/x/net to v0.17.0 (@pierluigilenoci)
+- [#2282](https://github.com/oauth2-proxy/oauth2-proxy/pull/2282) Fixed checking Google Groups membership using Google Application Credentials (@kvanzuijlen)
+- [#2183](https://github.com/oauth2-proxy/oauth2-proxy/pull/2183) Allowing relative redirect url though an option
+- [#1866](https://github.com/oauth2-proxy/oauth2-proxy/pull/1866) Add support for unix socker as upstream (@babs)
+- 
 # V7.5.1
 
 ## Release Highlights

diff --git a/contrib/local-environment/docker-compose-gitea.yaml b/contrib/local-environment/docker-compose-gitea.yaml
@@ -14,7 +14,7 @@ version: '3.0'
 services:
   oauth2-proxy:
     container_name: oauth2-proxy
-    image: gitea-oauth #quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
+    image: gitea-oauth #quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
     command: --config /oauth2-proxy.cfg
     hostname: oauth2-proxy
     volumes:

diff --git a/contrib/local-environment/docker-compose-keycloak.yaml b/contrib/local-environment/docker-compose-keycloak.yaml
@@ -15,7 +15,7 @@ services:
 
   oauth2-proxy:
     container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.0
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
     command: --config /oauth2-proxy.cfg
     hostname: oauth2-proxy
     volumes:

diff --git a/contrib/local-environment/docker-compose.yaml b/contrib/local-environment/docker-compose.yaml
@@ -13,7 +13,7 @@ version: '3.0'
 services:
   oauth2-proxy:
     container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.0
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
     command: --config /oauth2-proxy.cfg
     ports:
       - 4180:4180/tcp

diff --git a/contrib/local-environment/oauth2-proxy-alpha-config.yaml b/contrib/local-environment/oauth2-proxy-alpha-config.yaml
@@ -20,4 +20,4 @@ providers:
   clientSecret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
   clientID: oauth2-proxy
   oidcConfig:
-    oidcIssuerURL: http://dex.localhost:4190/dex
+    issuerURL: http://dex.localhost:4190/dex
diff --git a/docs/docs/configuration/alpha_config.md b/docs/docs/configuration/alpha_config.md
@@ -23,13 +23,13 @@ When using alpha configuration, your config file will look something like below:
 ```yaml
 upstreams:
   - id: ...
-    ...
+    ...: ...
 injectRequestHeaders:
   - name: ...
-    ...
+    ...: ...
 injectResponseHeaders:
   - name: ...
-    ...
+    ...: ...
 ```
 
 Please browse the [reference](#configuration-reference) below for the structure
@@ -223,7 +223,7 @@ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
 | Field | Type | Description |
 | ----- | ---- | ----------- |
 | `group` | _[]string_ | Group sets restrict logins to members of this group |
-| `projects` | _[]string_ | Projects restricts logins to members of any of these projects |
+| `projects` | _[]string_ | Projects restricts logins to members of these projects |
 
 ### GoogleOptions
 
@@ -233,10 +233,11 @@ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
 
 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `group` | _[]string_ | Groups sets restrict logins to members of this google group |
-| `adminEmail` | _string_ | AdminEmail is the google admin to impersonate for api calls |
+| `group` | _[]string_ | Groups sets restrict logins to members of this Google group |
+| `adminEmail` | _string_ | AdminEmail is the Google admin to impersonate for api calls |
 | `serviceAccountJson` | _string_ | ServiceAccountJSON is the path to the service account json credentials |
 | `useApplicationDefaultCredentials` | _bool_ | UseApplicationDefaultCredentials is a boolean whether to use Application Default Credentials instead of a ServiceAccountJSON |
+| `targetPrincipal` | _string_ | TargetPrincipal is the Google Service Account used for Application Default Credentials |
 
 ### Header
 
@@ -414,6 +415,7 @@ Provider holds all configuration for a single provider
 | `provider` | _[ProviderType](#providertype)_ | Type is the OAuth provider<br/>must be set from the supported providers group,<br/>otherwise 'Google' is set as default |
 | `name` | _string_ | Name is the providers display name<br/>if set, it will be shown to the users in the login page. |
 | `caFiles` | _[]string_ | CAFiles is a list of paths to CA certificates that should be used when connecting to the provider.<br/>If not specified, the default Go trust sources are used instead |
+| `useSystemTrustStore` | _bool_ | UseSystemTrustStore determines if your custom CA files and the system trust store are used<br/>If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. |
 | `loginURL` | _string_ | LoginURL is the authentication endpoint |
 | `loginURLParameters` | _[[]LoginURLParameter](#loginurlparameter)_ | LoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL |
 | `redeemURL` | _string_ | RedeemURL is the token redemption endpoint |
@@ -510,7 +512,7 @@ Requests will be proxied to this upstream if the path matches the request path.
 | `path` | _string_ | Path is used to map requests to the upstream server.<br/>The closest match will take precedence and all Paths must be unique.<br/>Path can also take a pattern when used with RewriteTarget.<br/>Path segments can be captured and matched using regular experessions.<br/>Eg:<br/>- `^/foo$`: Match only the explicit path `/foo`<br/>- `^/bar/$`: Match any path prefixed with `/bar/`<br/>- `^/baz/(.*)$`: Match any path prefixed with `/baz` and capture the remaining path for use with RewriteTarget |
 | `rewriteTarget` | _string_ | RewriteTarget allows users to rewrite the request path before it is sent to<br/>the upstream server.<br/>Use the Path to capture segments for reuse within the rewrite target.<br/>Eg: With a Path of `^/baz/(.*)`, a RewriteTarget of `/foo/$1` would rewrite<br/>the request `/baz/abc/123` to `/foo/abc/123` before proxying to the<br/>upstream server. |
 | `uri` | _string_ | The URI of the upstream server. This may be an HTTP(S) server of a File<br/>based URL. It may include a path, in which case all requests will be served<br/>under that path.<br/>Eg:<br/>- http://localhost:8080<br/>- https://service.localhost<br/>- https://service.localhost/path<br/>- file://host/path<br/>If the URI's path is "/base" and the incoming request was for "/dir",<br/>the upstream request will be for "/base/dir". |
-| `insecureSkipTLSVerify` | _bool_ | InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br/>This option is insecure and will allow potential Man-In-The-Middle attacks<br/>betweem OAuth2 Proxy and the usptream server.<br/>Defaults to false. |
+| `insecureSkipTLSVerify` | _bool_ | InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br/>This option is insecure and will allow potential Man-In-The-Middle attacks<br/>between OAuth2 Proxy and the upstream server.<br/>Defaults to false. |
 | `static` | _bool_ | Static will make all requests to this upstream have a static response.<br/>The response will have a body of "Authenticated" and a response code<br/>matching StaticCode.<br/>If StaticCode is not set, the response will return a 200 response. |
 | `staticCode` | _int_ | StaticCode determines the response code for the Static response.<br/>This option can only be used with Static enabled. |
 | `flushInterval` | _[Duration](#duration)_ | FlushInterval is the period between flushing the response buffer when<br/>streaming response from the upstream.<br/>Defaults to 1 second. |
@@ -526,5 +528,5 @@ UpstreamConfig is a collection of definitions for upstream servers.
 
 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `proxyRawPath` | _bool_ | ProxyRawPath will pass the raw url path to upstream allowing for url's<br/>like: "/%2F/" which would otherwise be redirected to "/" |
+| `proxyRawPath` | _bool_ | ProxyRawPath will pass the raw url path to upstream allowing for urls<br/>like: "/%2F/" which would otherwise be redirected to "/" |
 | `upstreams` | _[[]Upstream](#upstream)_ | Upstreams represents the configuration for the upstream servers.<br/>Requests will be proxied to this upstream if the path matches the request path. |
diff --git a/docs/docs/configuration/alpha_config.md.tmpl b/docs/docs/configuration/alpha_config.md.tmpl
@@ -23,13 +23,13 @@ When using alpha configuration, your config file will look something like below:
 ```yaml
 upstreams:
   - id: ...
-    ...
+    ...: ...
 injectRequestHeaders:
   - name: ...
-    ...
+    ...: ...
 injectResponseHeaders:
   - name: ...
-    ...
+    ...: ...
 ```
 
 Please browse the [reference](#configuration-reference) below for the structure