From 8d03adfd0456bc458671ada9c5ce42ff46d0755e Mon Sep 17 00:00:00 2001 From: Pierluigi Lenoci Date: Tue, 24 Oct 2023 13:33:03 +0200 Subject: [PATCH 01/17] Upgrade golang.org/x/net to v0.17.0 (#2274) * golang.org/x/net upgrade to v0.17.0 https://artifacthub.io/packages/helm/oauth2-proxy/oauth2-proxy?modal=security-report * Update CHANGELOG.md * go mod tidy --- CHANGELOG.md | 1 + go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ae9aa9fd4..91f8a46fb0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ## Changes since v7.5.1 - [#2128](https://github.com/oauth2-proxy/oauth2-proxy/pull/2128) Update dependencies (@vllvll) +- [#2274](https://github.com/oauth2-proxy/oauth2-proxy/pull/2274) Upgrade golang.org/x/net to v0.17.0 (@pierluigilenoci) # V7.5.1 diff --git a/go.mod b/go.mod index 9ffe096c2d..30fc2a16ba 100644 --- a/go.mod +++ b/go.mod @@ -30,9 +30,9 @@ require ( github.com/spf13/viper v1.6.3 github.com/stretchr/testify v1.8.3 github.com/vmihailenco/msgpack/v5 v5.3.5 - golang.org/x/crypto v0.9.0 + golang.org/x/crypto v0.14.0 golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 - golang.org/x/net v0.10.0 + golang.org/x/net v0.17.0 golang.org/x/oauth2 v0.8.0 golang.org/x/sync v0.2.0 google.golang.org/api v0.125.0 @@ -73,8 +73,8 @@ require ( github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9 // indirect go.opencensus.io v0.24.0 // indirect - golang.org/x/sys v0.8.0 // indirect - golang.org/x/text v0.9.0 // indirect + golang.org/x/sys v0.13.0 // indirect + golang.org/x/text v0.13.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect google.golang.org/grpc v1.55.0 // indirect diff --git a/go.sum b/go.sum index c11b717aaf..e4ab5567c6 100644 --- a/go.sum +++ b/go.sum @@ -395,8 +395,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g= -golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= +golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -473,8 +473,8 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -546,8 +546,8 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -559,8 +559,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From e13a5048eb41c118adbb1c8e8342a61c9e5d6b98 Mon Sep 17 00:00:00 2001 From: kvanzuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Tue, 24 Oct 2023 16:31:32 +0200 Subject: [PATCH 02/17] Updated linters --- .golangci.yml | 7 ++----- oauthproxy_test.go | 5 ++--- pkg/apis/sessions/lock.go | 8 ++++---- pkg/providers/oidc/verifier_test.go | 2 +- pkg/sessions/tests/mock_lock.go | 8 ++++---- pkg/validation/header.go | 2 +- providers/adfs.go | 2 +- providers/internal_util_test.go | 4 ++-- providers/oidc.go | 2 +- 9 files changed, 18 insertions(+), 22 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 9ef1ce69c0..1f82359b07 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -3,19 +3,15 @@ run: linters: enable: - govet - - golint - ineffassign - goconst - - deadcode - gofmt - goimports - gosec - gosimple - staticcheck - - structcheck - typecheck - unused - - varcheck - bodyclose - dogsled - goprintffuncname @@ -25,6 +21,7 @@ linters: - stylecheck - unconvert - gocritic + - revive disable-all: true issues: exclude-rules: @@ -38,6 +35,6 @@ issues: # If we have tests in shared test folders, these can be less strictly linted - path: tests/.*_tests\.go linters: - - golint + - revive - bodyclose - stylecheck diff --git a/oauthproxy_test.go b/oauthproxy_test.go index 0d8bc91a6e..366ca7ee6d 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -448,9 +448,8 @@ func (patTest *PassAccessTokenTest) getEndpointWithCookie(cookie string, endpoin value = strings.TrimPrefix(field, keyPrefix) if value != field { break - } else { - value = "" } + value = "" } if value == "" { return 0, "" @@ -612,7 +611,7 @@ func (sipTest *SignInPageTest) GetEndpoint(endpoint string) (int, string) { type AlwaysSuccessfulValidator struct { } -func (AlwaysSuccessfulValidator) Validate(user, password string) bool { +func (AlwaysSuccessfulValidator) Validate(_, _ string) bool { return true } diff --git a/pkg/apis/sessions/lock.go b/pkg/apis/sessions/lock.go index dd08077083..15f8dd1f48 100644 --- a/pkg/apis/sessions/lock.go +++ b/pkg/apis/sessions/lock.go @@ -7,18 +7,18 @@ import ( type NoOpLock struct{} -func (l *NoOpLock) Obtain(ctx context.Context, expiration time.Duration) error { +func (l *NoOpLock) Obtain(_ context.Context, _ time.Duration) error { return nil } -func (l *NoOpLock) Peek(ctx context.Context) (bool, error) { +func (l *NoOpLock) Peek(_ context.Context) (bool, error) { return false, nil } -func (l *NoOpLock) Refresh(ctx context.Context, expiration time.Duration) error { +func (l *NoOpLock) Refresh(_ context.Context, _ time.Duration) error { return nil } -func (l *NoOpLock) Release(ctx context.Context) error { +func (l *NoOpLock) Release(_ context.Context) error { return nil } diff --git a/pkg/providers/oidc/verifier_test.go b/pkg/providers/oidc/verifier_test.go index c82de7aff1..dd125e7709 100755 --- a/pkg/providers/oidc/verifier_test.go +++ b/pkg/providers/oidc/verifier_test.go @@ -199,7 +199,7 @@ type testVerifier struct { jwk jose.JSONWebKey } -func (t *testVerifier) VerifySignature(ctx context.Context, jwt string) ([]byte, error) { +func (t *testVerifier) VerifySignature(_ context.Context, jwt string) ([]byte, error) { jws, err := jose.ParseSigned(jwt) if err != nil { return nil, fmt.Errorf("oidc: malformed jwt: %v", err) diff --git a/pkg/sessions/tests/mock_lock.go b/pkg/sessions/tests/mock_lock.go index dbf3d6381c..ff29b52ce3 100644 --- a/pkg/sessions/tests/mock_lock.go +++ b/pkg/sessions/tests/mock_lock.go @@ -12,19 +12,19 @@ type MockLock struct { elapsed time.Duration } -func (l *MockLock) Obtain(ctx context.Context, expiration time.Duration) error { +func (l *MockLock) Obtain(_ context.Context, expiration time.Duration) error { l.expiration = expiration return nil } -func (l *MockLock) Peek(ctx context.Context) (bool, error) { +func (l *MockLock) Peek(_ context.Context) (bool, error) { if l.elapsed < l.expiration { return true, nil } return false, nil } -func (l *MockLock) Refresh(ctx context.Context, expiration time.Duration) error { +func (l *MockLock) Refresh(_ context.Context, expiration time.Duration) error { if l.expiration <= l.elapsed { return sessions.ErrNotLocked } @@ -33,7 +33,7 @@ func (l *MockLock) Refresh(ctx context.Context, expiration time.Duration) error return nil } -func (l *MockLock) Release(ctx context.Context) error { +func (l *MockLock) Release(_ context.Context) error { if l.expiration <= l.elapsed { return sessions.ErrNotLocked } diff --git a/pkg/validation/header.go b/pkg/validation/header.go index 603feaf41e..b125814465 100644 --- a/pkg/validation/header.go +++ b/pkg/validation/header.go @@ -38,7 +38,7 @@ func validateHeader(header options.Header, names map[string]struct{}) []string { return msgs } -func validateHeaderValue(name string, value options.HeaderValue) []string { +func validateHeaderValue(_ string, value options.HeaderValue) []string { switch { case value.SecretSource != nil && value.ClaimSource == nil: return []string{validateSecretSource(*value.SecretSource)} diff --git a/providers/adfs.go b/providers/adfs.go index ca8af44c02..586b042030 100644 --- a/providers/adfs.go +++ b/providers/adfs.go @@ -93,7 +93,7 @@ func (p *ADFSProvider) RefreshSession(ctx context.Context, s *sessions.SessionSt return refreshed, err } -func (p *ADFSProvider) fallbackUPN(ctx context.Context, s *sessions.SessionState) error { +func (p *ADFSProvider) fallbackUPN(_ context.Context, s *sessions.SessionState) error { claims, err := p.getClaimExtractor(s.IDToken, s.AccessToken) if err != nil { return fmt.Errorf("could not extract claims: %v", err) diff --git a/providers/internal_util_test.go b/providers/internal_util_test.go index c8ab3f4f06..545e83cbb6 100644 --- a/providers/internal_util_test.go +++ b/providers/internal_util_test.go @@ -26,13 +26,13 @@ type ValidateSessionTestProvider struct { var _ Provider = (*ValidateSessionTestProvider)(nil) -func (tp *ValidateSessionTestProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error) { +func (tp *ValidateSessionTestProvider) GetEmailAddress(_ context.Context, _ *sessions.SessionState) (string, error) { return "", errors.New("not implemented") } // Note that we're testing the internal validateToken() used to implement // several Provider's ValidateSession() implementations -func (tp *ValidateSessionTestProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool { +func (tp *ValidateSessionTestProvider) ValidateSession(_ context.Context, _ *sessions.SessionState) bool { return false } diff --git a/providers/oidc.go b/providers/oidc.go index 2ac6acb044..1225141de7 100644 --- a/providers/oidc.go +++ b/providers/oidc.go @@ -93,7 +93,7 @@ func (p *OIDCProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifi // EnrichSession is called after Redeem to allow providers to enrich session fields // such as User, Email, Groups with provider specific API calls. -func (p *OIDCProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error { +func (p *OIDCProvider) EnrichSession(_ context.Context, s *sessions.SessionState) error { // If a mandatory email wasn't set, error at this point. if s.Email == "" { return errors.New("neither the id_token nor the profileURL set an email") From dcf3bd1bcf83cad07f39ecf3ded129339570088d Mon Sep 17 00:00:00 2001 From: Filipe Pina <636320+fopina@users.noreply.github.com> Date: Tue, 24 Oct 2023 20:01:16 +0100 Subject: [PATCH 03/17] update error middleware definition (for traefik) (#2272) --- docs/docs/configuration/overview.md | 2 +- docs/versioned_docs/version-7.5.x/configuration/overview.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs/configuration/overview.md b/docs/docs/configuration/overview.md index e7fcc24415..d65e8e2139 100644 --- a/docs/docs/configuration/overview.md +++ b/docs/docs/configuration/overview.md @@ -499,7 +499,7 @@ http: status: - "401-403" service: oauth-backend - query: "/oauth2/sign_in" + query: "/oauth2/sign_in?rd={url}" ``` ### ForwardAuth with static upstreams configuration diff --git a/docs/versioned_docs/version-7.5.x/configuration/overview.md b/docs/versioned_docs/version-7.5.x/configuration/overview.md index e7fcc24415..d65e8e2139 100644 --- a/docs/versioned_docs/version-7.5.x/configuration/overview.md +++ b/docs/versioned_docs/version-7.5.x/configuration/overview.md @@ -499,7 +499,7 @@ http: status: - "401-403" service: oauth-backend - query: "/oauth2/sign_in" + query: "/oauth2/sign_in?rd={url}" ``` ### ForwardAuth with static upstreams configuration From 3862182039886f07678d50e0b17fde68f07ba63c Mon Sep 17 00:00:00 2001 From: Florian Beier Date: Tue, 24 Oct 2023 21:01:36 +0200 Subject: [PATCH 04/17] Fix oidc-issuer-url in example (#2245) Fix path (/auth/ part was dropped with the move to Quarkus in Keycloak 17) Add note for older Keycloak versions --- docs/docs/configuration/auth.md | 2 +- docs/versioned_docs/version-7.5.x/configuration/auth.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs/configuration/auth.md b/docs/docs/configuration/auth.md index 282745c640..36fd2ef4f3 100644 --- a/docs/docs/configuration/auth.md +++ b/docs/docs/configuration/auth.md @@ -237,7 +237,7 @@ you should define the 'keycloak-group' value to /admin. --client-id= --client-secret= --redirect-url=https://internal.yourcompany.com/oauth2/callback - --oidc-issuer-url=https:///auth/realms/ + --oidc-issuer-url=https:///realms/ // For Keycloak versions <17: --oidc-issuer-url=https:///auth/realms/ --email-domain= // Validate email domain for users, see option documentation --allowed-role= // Optional, required realm role --allowed-role=: // Optional, required client role diff --git a/docs/versioned_docs/version-7.5.x/configuration/auth.md b/docs/versioned_docs/version-7.5.x/configuration/auth.md index cfcad1d149..cdf4e5013b 100644 --- a/docs/versioned_docs/version-7.5.x/configuration/auth.md +++ b/docs/versioned_docs/version-7.5.x/configuration/auth.md @@ -218,7 +218,7 @@ you should define the 'keycloak-group' value to /admin. --client-id= --client-secret= --redirect-url=https://internal.yourcompany.com/oauth2/callback - --oidc-issuer-url=https:///auth/realms/ + --oidc-issuer-url=https:///realms/ // For Keycloak versions <17: --oidc-issuer-url=https:///auth/realms/ --email-domain= // Validate email domain for users, see option documentation --allowed-role= // Optional, required realm role --allowed-role=: // Optional, required client role From 464f3bcf53fcaa281adb2eca260a730ed38f680d Mon Sep 17 00:00:00 2001 From: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Tue, 24 Oct 2023 21:03:16 +0200 Subject: [PATCH 05/17] Fixed Google ADC functionality (#2282) * Fixed Google ADC functionality * Updated CHANGELOG.md * Redo changes after merge-conflict * Fixed docs * Fixed linting issues * Applied PR suggestions --- CHANGELOG.md | 1 + docs/docs/configuration/alpha_config.md | 7 +- docs/docs/configuration/overview.md | 171 ++++++++++++------------ go.mod | 26 ++-- go.sum | 79 ++++------- pkg/apis/options/legacy_options.go | 3 + pkg/apis/options/providers.go | 8 +- providers/google.go | 41 +++++- 8 files changed, 175 insertions(+), 161 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 91f8a46fb0..ec311bb7c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ ## Changes since v7.5.1 - [#2128](https://github.com/oauth2-proxy/oauth2-proxy/pull/2128) Update dependencies (@vllvll) - [#2274](https://github.com/oauth2-proxy/oauth2-proxy/pull/2274) Upgrade golang.org/x/net to v0.17.0 (@pierluigilenoci) +- [#2282](https://github.com/oauth2-proxy/oauth2-proxy/pull/2282) Fixed checking Google Groups membership using Google Application Credentials (@kvanzuijlen) # V7.5.1 diff --git a/docs/docs/configuration/alpha_config.md b/docs/docs/configuration/alpha_config.md index ad2f768297..a72dc63982 100644 --- a/docs/docs/configuration/alpha_config.md +++ b/docs/docs/configuration/alpha_config.md @@ -223,7 +223,7 @@ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". | Field | Type | Description | | ----- | ---- | ----------- | | `group` | _[]string_ | Group sets restrict logins to members of this group | -| `projects` | _[]string_ | Projects restricts logins to members of any of these projects | +| `projects` | _[]string_ | Projects restricts logins to members of these projects | ### GoogleOptions @@ -233,10 +233,11 @@ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". | Field | Type | Description | | ----- | ---- | ----------- | -| `group` | _[]string_ | Groups sets restrict logins to members of this google group | -| `adminEmail` | _string_ | AdminEmail is the google admin to impersonate for api calls | +| `group` | _[]string_ | Groups sets restrict logins to members of this Google group | +| `adminEmail` | _string_ | AdminEmail is the Google admin to impersonate for api calls | | `serviceAccountJson` | _string_ | ServiceAccountJSON is the path to the service account json credentials | | `useApplicationDefaultCredentials` | _bool_ | UseApplicationDefaultCredentials is a boolean whether to use Application Default Credentials instead of a ServiceAccountJSON | +| `targetPrincipal` | _string_ | TargetPrincipal is the Google Service Account used for Application Default Credentials | ### Header diff --git a/docs/docs/configuration/overview.md b/docs/docs/configuration/overview.md index d65e8e2139..a2a6e75bac 100644 --- a/docs/docs/configuration/overview.md +++ b/docs/docs/configuration/overview.md @@ -72,33 +72,33 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/ ### Command Line Options -| Option | Type | Description | Default | -| ------ | ---- | ----------- | ------- | -| `--acr-values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` | -| `--api-route` | string \| list | return HTTP 401 instead of redirecting to authentication server if token is not valid. Format: path_regex | | -| `--approval-prompt` | string | OAuth approval_prompt | `"force"` | -| `--auth-logging` | bool | Log authentication attempts | true | -| `--auth-logging-format` | string | Template for authentication log lines | see [Logging Configuration](#logging-configuration) | -| `--authenticated-emails-file` | string | authenticate against emails via file (one per line) | | -| `--azure-tenant` | string | go to a tenant-specific or common (tenant-independent) endpoint. | `"common"` | -| `--basic-auth-password` | string | the password to set when passing the HTTP Basic Auth header | | -| `--client-id` | string | the OAuth Client ID, e.g. `"123456.apps.googleusercontent.com"` | | -| `--client-secret` | string | the OAuth Client Secret | | -| `--client-secret-file` | string | the file with OAuth Client Secret | | -| `--code-challenge-method` | string | use PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended) | | -| `--config` | string | path to config file | | -| `--cookie-domain` | string \| list | Optional cookie domains to force cookies to (e.g. `.yourcompany.com`). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match). | | -| `--cookie-expire` | duration | expire timeframe for cookie. If set to 0, cookie becomes a session-cookie which will expire when the browser is closed. | 168h0m0s | -| `--cookie-httponly` | bool | set HttpOnly cookie flag | true | -| `--cookie-name` | string | the name of the cookie that the oauth_proxy creates. Should be changed to use a [cookie prefix](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes) (`__Host-` or `__Secure-`) if `--cookie-secure` is set. | `"_oauth2_proxy"` | -| `--cookie-path` | string | an optional cookie path to force cookies to (e.g. `/poc/`) | `"/"` | -| `--cookie-refresh` | duration | refresh the cookie after this duration; `0` to disable; not supported by all providers \[[1](#footnote1)\] | | -| `--cookie-secret` | string | the seed string for secure cookies (optionally base64 encoded) | | -| `--cookie-secure` | bool | set [secure (HTTPS only) cookie flag](https://owasp.org/www-community/controls/SecureFlag) | true | -| `--cookie-samesite` | string | set SameSite cookie attribute (`"lax"`, `"strict"`, `"none"`, or `""`). | `""` | -| `--cookie-csrf-per-request` | bool | Enable having different CSRF cookies per request, making it possible to have parallel requests. | false | -| `--cookie-csrf-expire` | duration | expire timeframe for CSRF cookie | 15m | -| `--custom-templates-dir` | string | path to custom html templates | | +| Option | Type | Description | Default | +| ------ | ---- | ----------- |------------------------------------------------------------------| +| `--acr-values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` | +| `--api-route` | string \| list | return HTTP 401 instead of redirecting to authentication server if token is not valid. Format: path_regex | | +| `--approval-prompt` | string | OAuth approval_prompt | `"force"` | +| `--auth-logging` | bool | Log authentication attempts | true | +| `--auth-logging-format` | string | Template for authentication log lines | see [Logging Configuration](#logging-configuration) | +| `--authenticated-emails-file` | string | authenticate against emails via file (one per line) | | +| `--azure-tenant` | string | go to a tenant-specific or common (tenant-independent) endpoint. | `"common"` | +| `--basic-auth-password` | string | the password to set when passing the HTTP Basic Auth header | | +| `--client-id` | string | the OAuth Client ID, e.g. `"123456.apps.googleusercontent.com"` | | +| `--client-secret` | string | the OAuth Client Secret | | +| `--client-secret-file` | string | the file with OAuth Client Secret | | +| `--code-challenge-method` | string | use PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended) | | +| `--config` | string | path to config file | | +| `--cookie-domain` | string \| list | Optional cookie domains to force cookies to (e.g. `.yourcompany.com`). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match). | | +| `--cookie-expire` | duration | expire timeframe for cookie. If set to 0, cookie becomes a session-cookie which will expire when the browser is closed. | 168h0m0s | +| `--cookie-httponly` | bool | set HttpOnly cookie flag | true | +| `--cookie-name` | string | the name of the cookie that the oauth_proxy creates. Should be changed to use a [cookie prefix](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes) (`__Host-` or `__Secure-`) if `--cookie-secure` is set. | `"_oauth2_proxy"` | +| `--cookie-path` | string | an optional cookie path to force cookies to (e.g. `/poc/`) | `"/"` | +| `--cookie-refresh` | duration | refresh the cookie after this duration; `0` to disable; not supported by all providers \[[1](#footnote1)\] | | +| `--cookie-secret` | string | the seed string for secure cookies (optionally base64 encoded) | | +| `--cookie-secure` | bool | set [secure (HTTPS only) cookie flag](https://owasp.org/www-community/controls/SecureFlag) | true | +| `--cookie-samesite` | string | set SameSite cookie attribute (`"lax"`, `"strict"`, `"none"`, or `""`). | `""` | +| `--cookie-csrf-per-request` | bool | Enable having different CSRF cookies per request, making it possible to have parallel requests. | false | +| `--cookie-csrf-expire` | duration | expire timeframe for CSRF cookie | 15m | +| `--custom-templates-dir` | string | path to custom html templates | | | `--custom-sign-in-logo` | string | path or a URL to an custom image for the sign_in page logo. Use `"-"` to disable default logo. | | `--display-htpasswd-form` | bool | display username / password login form if an htpasswd file is provided | true | | `--email-domain` | string \| list | authenticate emails with the specified domain (may be given multiple times). Use `*` to authenticate any email | | @@ -121,6 +121,7 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/ | `--google-group` | string | restrict logins to members of this google group (may be given multiple times). | | | `--google-service-account-json` | string | the path to the service account json credentials | | | `--google-use-application-default-credentials` | bool | use application default credentials instead of service account json (i.e. GKE Workload Identity) | | +| `--google-target-principal` | bool | the targetprincipal to impersonate when using ADC | defaults to the service account configured for ADC | | `--htpasswd-file` | string | additionally authenticate against a htpasswd file. Entries must be created with `htpasswd -B` for bcrypt encryption | | | `--htpasswd-user-group` | string \| list | the groups to be set on sessions for htpasswd users | | | `--http-address` | string | `[http://]:` or `unix://` to listen on for HTTP clients. Square brackets are required for ipv6 address, e.g. `http://[::1]:4180` | `"127.0.0.1:4180"` | @@ -153,64 +154,64 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/ | `--prompt` | string | [OIDC prompt](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest); if present, `approval-prompt` is ignored | `""` | | `--provider` | string | OAuth provider | google | | `--provider-ca-file` | string \| list | Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead. | -| `--provider-display-name` | string | Override the provider's name with the given string; used for the sign-in page | (depends on provider) | -| `--ping-path` | string | the ping endpoint that can be used for basic health checks | `"/ping"` | -| `--ping-user-agent` | string | a User-Agent that can be used for basic health checks | `""` (don't check user agent) | -| `--ready-path` | string | the ready endpoint that can be used for deep health checks | `"/ready"` | -| `--metrics-address` | string | the address prometheus metrics will be scraped from | `""` | -| `--proxy-prefix` | string | the url root path that this proxy should be nested under (e.g. /`/sign_in`) | `"/oauth2"` | -| `--proxy-websockets` | bool | enables WebSocket proxying | true | -| `--pubjwk-url` | string | JWK pubkey access endpoint: required by login.gov | | -| `--real-client-ip-header` | string | Header used to determine the real IP of the client, requires `--reverse-proxy` to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP) | X-Real-IP | -| `--redeem-url` | string | Token redemption endpoint | | -| `--redirect-url` | string | the OAuth Redirect URL, e.g. `"https://internalapp.yourcompany.com/oauth2/callback"` | | -| `--redis-cluster-connection-urls` | string \| list | List of Redis cluster connection URLs (e.g. `redis://HOST[:PORT]`). Used in conjunction with `--redis-use-cluster` | | -| `--redis-connection-url` | string | URL of redis server for redis session storage (e.g. `redis://HOST[:PORT]`) | | -| `--redis-insecure-skip-tls-verify` | bool | skip TLS verification when connecting to Redis | false | -| `--redis-password` | string | Redis password. Applicable for all Redis configurations. Will override any password set in `--redis-connection-url` | | -| `--redis-sentinel-password` | string | Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `--redis-password` | | -| `--redis-sentinel-master-name` | string | Redis sentinel master name. Used in conjunction with `--redis-use-sentinel` | | -| `--redis-sentinel-connection-urls` | string \| list | List of Redis sentinel connection URLs (e.g. `redis://HOST[:PORT]`). Used in conjunction with `--redis-use-sentinel` | | -| `--redis-use-cluster` | bool | Connect to redis cluster. Must set `--redis-cluster-connection-urls` to use this feature | false | -| `--redis-use-sentinel` | bool | Connect to redis via sentinels. Must set `--redis-sentinel-master-name` and `--redis-sentinel-connection-urls` to use this feature | false | -| `--redis-connection-idle-timeout` | int | Redis connection idle timeout seconds. If Redis [timeout](https://redis.io/docs/reference/clients/#client-timeouts) option is set to non-zero, the `--redis-connection-idle-timeout` must be less than Redis timeout option. Exmpale: if either redis.conf includes `timeout 15` or using `CONFIG SET timeout 15` the `--redis-connection-idle-timeout` must be at least `--redis-connection-idle-timeout=14` | 0 | -| `--request-id-header` | string | Request header to use as the request ID in logging | X-Request-Id | -| `--request-logging` | bool | Log requests | true | -| `--request-logging-format` | string | Template for request log lines | see [Logging Configuration](#logging-configuration) | -| `--resource` | string | The resource that is protected (Azure AD only) | | -| `--reverse-proxy` | bool | are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection | false | -| `--scope` | string | OAuth scope specification | | -| `--session-cookie-minimal` | bool | strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only) | false | -| `--session-store-type` | string | [Session data storage backend](sessions.md); redis or cookie | cookie | -| `--set-xauthrequest` | bool | set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with `--pass-access-token`, X-Auth-Request-Access-Token is added to response headers. | false | -| `--set-authorization-header` | bool | set Authorization Bearer response header (useful in Nginx auth_request mode) | false | -| `--set-basic-auth` | bool | set HTTP Basic Auth information in response (useful in Nginx auth_request mode) | false | -| `--show-debug-on-error` | bool | show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production) | false | -| `--signature-key` | string | GAP-Signature request signature key (algorithm:secretkey) | | -| `--silence-ping-logging` | bool | disable logging of requests to ping & ready endpoints | false | -| `--skip-auth-preflight` | bool | will skip authentication for OPTIONS requests | false | -| `--skip-auth-regex` | string \| list | (DEPRECATED for `--skip-auth-route`) bypass authentication for requests paths that match (may be given multiple times) | | -| `--skip-auth-route` | string \| list | bypass authentication for requests that match the method & path. Format: method=path_regex OR method!=path_regex. For all methods: path_regex OR !=path_regex | | -| `--skip-auth-strip-headers` | bool | strips `X-Forwarded-*` style authentication headers & `Authorization` header if they would be set by oauth2-proxy | true | -| `--skip-jwt-bearer-tokens` | bool | will skip requests that have verified JWT bearer tokens (the token must have [`aud`](https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields) that matches this client id or one of the extras from `extra-jwt-issuers`) | false | -| `--skip-oidc-discovery` | bool | bypass OIDC endpoint discovery. `--login-url`, `--redeem-url` and `--oidc-jwks-url` must be configured in this case | false | -| `--skip-provider-button` | bool | will skip sign-in-page to directly reach the next step: oauth/start | false | -| `--ssl-insecure-skip-verify` | bool | skip validation of certificates presented when using HTTPS providers | false | -| `--ssl-upstream-insecure-skip-verify` | bool | skip validation of certificates presented when using HTTPS upstreams | false | -| `--standard-logging` | bool | Log standard runtime information | true | -| `--standard-logging-format` | string | Template for standard log lines | see [Logging Configuration](#logging-configuration) | -| `--tls-cert-file` | string | path to certificate file | | -| `--tls-cipher-suite` | string \| list | Restricts TLS cipher suites used by server to those listed (e.g. TLS_RSA_WITH_RC4_128_SHA) (may be given multiple times). If not specified, the default Go safe cipher list is used. List of valid cipher suites can be found in the [crypto/tls documentation](https://pkg.go.dev/crypto/tls#pkg-constants). | | -| `--tls-key-file` | string | path to private key file | | -| `--tls-min-version` | string | minimum TLS version that is acceptable, either `"TLS1.2"` or `"TLS1.3"` | `"TLS1.2"` | -| `--upstream` | string \| list | the http url(s) of the upstream endpoint, file:// paths for static files or `static://` for static response. Routing is based on the path | | -| `--upstream-timeout` | duration | maximum amount of time the server will wait for a response from the upstream | 30s | -| `--allowed-group` | string \| list | restrict logins to members of this group (may be given multiple times) | | -| `--allowed-role` | string \| list | restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider. | | -| `--validate-url` | string | Access token validation endpoint | | -| `--version` | n/a | print version string | | -| `--whitelist-domain` | string \| list | allowed domains for redirection after authentication. Prefix domain with a `.` or a `*.` to allow subdomains (e.g. `.example.com`, `*.example.com`) \[[2](#footnote2)\] | | -| `--trusted-ip` | string \| list | list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with `--reverse-proxy` and optionally `--real-client-ip-header` this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them. | | +| `--provider-display-name` | string | Override the provider's name with the given string; used for the sign-in page | (depends on provider) | +| `--ping-path` | string | the ping endpoint that can be used for basic health checks | `"/ping"` | +| `--ping-user-agent` | string | a User-Agent that can be used for basic health checks | `""` (don't check user agent) | +| `--ready-path` | string | the ready endpoint that can be used for deep health checks | `"/ready"` | +| `--metrics-address` | string | the address prometheus metrics will be scraped from | `""` | +| `--proxy-prefix` | string | the url root path that this proxy should be nested under (e.g. /`/sign_in`) | `"/oauth2"` | +| `--proxy-websockets` | bool | enables WebSocket proxying | true | +| `--pubjwk-url` | string | JWK pubkey access endpoint: required by login.gov | | +| `--real-client-ip-header` | string | Header used to determine the real IP of the client, requires `--reverse-proxy` to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP) | X-Real-IP | +| `--redeem-url` | string | Token redemption endpoint | | +| `--redirect-url` | string | the OAuth Redirect URL, e.g. `"https://internalapp.yourcompany.com/oauth2/callback"` | | +| `--redis-cluster-connection-urls` | string \| list | List of Redis cluster connection URLs (e.g. `redis://HOST[:PORT]`). Used in conjunction with `--redis-use-cluster` | | +| `--redis-connection-url` | string | URL of redis server for redis session storage (e.g. `redis://HOST[:PORT]`) | | +| `--redis-insecure-skip-tls-verify` | bool | skip TLS verification when connecting to Redis | false | +| `--redis-password` | string | Redis password. Applicable for all Redis configurations. Will override any password set in `--redis-connection-url` | | +| `--redis-sentinel-password` | string | Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `--redis-password` | | +| `--redis-sentinel-master-name` | string | Redis sentinel master name. Used in conjunction with `--redis-use-sentinel` | | +| `--redis-sentinel-connection-urls` | string \| list | List of Redis sentinel connection URLs (e.g. `redis://HOST[:PORT]`). Used in conjunction with `--redis-use-sentinel` | | +| `--redis-use-cluster` | bool | Connect to redis cluster. Must set `--redis-cluster-connection-urls` to use this feature | false | +| `--redis-use-sentinel` | bool | Connect to redis via sentinels. Must set `--redis-sentinel-master-name` and `--redis-sentinel-connection-urls` to use this feature | false | +| `--redis-connection-idle-timeout` | int | Redis connection idle timeout seconds. If Redis [timeout](https://redis.io/docs/reference/clients/#client-timeouts) option is set to non-zero, the `--redis-connection-idle-timeout` must be less than Redis timeout option. Exmpale: if either redis.conf includes `timeout 15` or using `CONFIG SET timeout 15` the `--redis-connection-idle-timeout` must be at least `--redis-connection-idle-timeout=14` | 0 | +| `--request-id-header` | string | Request header to use as the request ID in logging | X-Request-Id | +| `--request-logging` | bool | Log requests | true | +| `--request-logging-format` | string | Template for request log lines | see [Logging Configuration](#logging-configuration) | +| `--resource` | string | The resource that is protected (Azure AD only) | | +| `--reverse-proxy` | bool | are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection | false | +| `--scope` | string | OAuth scope specification | | +| `--session-cookie-minimal` | bool | strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only) | false | +| `--session-store-type` | string | [Session data storage backend](sessions.md); redis or cookie | cookie | +| `--set-xauthrequest` | bool | set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with `--pass-access-token`, X-Auth-Request-Access-Token is added to response headers. | false | +| `--set-authorization-header` | bool | set Authorization Bearer response header (useful in Nginx auth_request mode) | false | +| `--set-basic-auth` | bool | set HTTP Basic Auth information in response (useful in Nginx auth_request mode) | false | +| `--show-debug-on-error` | bool | show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production) | false | +| `--signature-key` | string | GAP-Signature request signature key (algorithm:secretkey) | | +| `--silence-ping-logging` | bool | disable logging of requests to ping & ready endpoints | false | +| `--skip-auth-preflight` | bool | will skip authentication for OPTIONS requests | false | +| `--skip-auth-regex` | string \| list | (DEPRECATED for `--skip-auth-route`) bypass authentication for requests paths that match (may be given multiple times) | | +| `--skip-auth-route` | string \| list | bypass authentication for requests that match the method & path. Format: method=path_regex OR method!=path_regex. For all methods: path_regex OR !=path_regex | | +| `--skip-auth-strip-headers` | bool | strips `X-Forwarded-*` style authentication headers & `Authorization` header if they would be set by oauth2-proxy | true | +| `--skip-jwt-bearer-tokens` | bool | will skip requests that have verified JWT bearer tokens (the token must have [`aud`](https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields) that matches this client id or one of the extras from `extra-jwt-issuers`) | false | +| `--skip-oidc-discovery` | bool | bypass OIDC endpoint discovery. `--login-url`, `--redeem-url` and `--oidc-jwks-url` must be configured in this case | false | +| `--skip-provider-button` | bool | will skip sign-in-page to directly reach the next step: oauth/start | false | +| `--ssl-insecure-skip-verify` | bool | skip validation of certificates presented when using HTTPS providers | false | +| `--ssl-upstream-insecure-skip-verify` | bool | skip validation of certificates presented when using HTTPS upstreams | false | +| `--standard-logging` | bool | Log standard runtime information | true | +| `--standard-logging-format` | string | Template for standard log lines | see [Logging Configuration](#logging-configuration) | +| `--tls-cert-file` | string | path to certificate file | | +| `--tls-cipher-suite` | string \| list | Restricts TLS cipher suites used by server to those listed (e.g. TLS_RSA_WITH_RC4_128_SHA) (may be given multiple times). If not specified, the default Go safe cipher list is used. List of valid cipher suites can be found in the [crypto/tls documentation](https://pkg.go.dev/crypto/tls#pkg-constants). | | +| `--tls-key-file` | string | path to private key file | | +| `--tls-min-version` | string | minimum TLS version that is acceptable, either `"TLS1.2"` or `"TLS1.3"` | `"TLS1.2"` | +| `--upstream` | string \| list | the http url(s) of the upstream endpoint, file:// paths for static files or `static://` for static response. Routing is based on the path | | +| `--upstream-timeout` | duration | maximum amount of time the server will wait for a response from the upstream | 30s | +| `--allowed-group` | string \| list | restrict logins to members of this group (may be given multiple times) | | +| `--allowed-role` | string \| list | restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider. | | +| `--validate-url` | string | Access token validation endpoint | | +| `--version` | n/a | print version string | | +| `--whitelist-domain` | string \| list | allowed domains for redirection after authentication. Prefix domain with a `.` or a `*.` to allow subdomains (e.g. `.example.com`, `*.example.com`) \[[2](#footnote2)\] | | +| `--trusted-ip` | string \| list | list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with `--reverse-proxy` and optionally `--real-client-ip-header` this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them. | | \[1\]: Only these providers support `--cookie-refresh`: GitLab, Google and OIDC diff --git a/go.mod b/go.mod index 30fc2a16ba..45702fd169 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module github.com/oauth2-proxy/oauth2-proxy/v7 go 1.19 require ( + cloud.google.com/go/compute/metadata v0.2.3 github.com/Bose/minisentinel v0.0.0-20200130220412-917c5a9223bb github.com/alicebob/miniredis/v2 v2.23.0 github.com/benbjohnson/clock v1.3.0 @@ -12,7 +13,7 @@ require ( github.com/fsnotify/fsnotify v1.6.0 github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 github.com/golang-jwt/jwt v3.2.2+incompatible - github.com/google/uuid v1.3.0 + github.com/google/uuid v1.3.1 github.com/gorilla/mux v1.8.0 github.com/justinas/alice v1.2.0 github.com/mbland/hmacauth v0.0.0-20170912233209-44256dfd4bfa @@ -33,17 +34,16 @@ require ( golang.org/x/crypto v0.14.0 golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 golang.org/x/net v0.17.0 - golang.org/x/oauth2 v0.8.0 - golang.org/x/sync v0.2.0 - google.golang.org/api v0.125.0 + golang.org/x/oauth2 v0.13.0 + golang.org/x/sync v0.4.0 + google.golang.org/api v0.148.0 gopkg.in/natefinch/lumberjack.v2 v2.2.1 gopkg.in/square/go-jose.v2 v2.6.0 k8s.io/apimachinery v0.27.2 ) require ( - cloud.google.com/go/compute v1.20.0 // indirect - cloud.google.com/go/compute/metadata v0.2.3 // indirect + cloud.google.com/go/compute v1.23.0 // indirect github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect @@ -54,10 +54,10 @@ require ( github.com/go-logr/logr v1.2.4 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect - github.com/google/go-cmp v0.5.9 // indirect - github.com/google/s2a-go v0.1.4 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect - github.com/googleapis/gax-go/v2 v2.10.0 // indirect + github.com/google/go-cmp v0.6.0 // indirect + github.com/google/s2a-go v0.1.7 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.1 // indirect + github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect @@ -76,9 +76,9 @@ require ( golang.org/x/sys v0.13.0 // indirect golang.org/x/text v0.13.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect - google.golang.org/grpc v1.55.0 // indirect - google.golang.org/protobuf v1.30.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a // indirect + google.golang.org/grpc v1.58.3 // indirect + google.golang.org/protobuf v1.31.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index e4ab5567c6..7195f8ed61 100644 --- a/go.sum +++ b/go.sum @@ -23,8 +23,8 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute v1.20.0 h1:cUOcywWuowO9It2i1KX1lIb0HH7gLv6nENKuZGnlcSo= -cloud.google.com/go/compute v1.20.0/go.mod h1:kn5BhC++qUWR/AM3Dn21myV7QbgqejW04cAOrtppaQI= +cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY= +cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= @@ -55,7 +55,6 @@ github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a/go.mod h1:SGn github.com/alicebob/miniredis/v2 v2.11.1/go.mod h1:UA48pmi7aSazcGAvcdKcBB49z521IC9VjTTRz2nIaJE= github.com/alicebob/miniredis/v2 v2.23.0 h1:+lwAJYjvvdIVg6doFHuotFjueJ/7KY10xo/vm3X3Scw= github.com/alicebob/miniredis/v2 v2.23.0/go.mod h1:XNqvJdQJv5mSuVMc0ynneafpnL/zv52acZ6kqeS0t88= -github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A= github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= @@ -73,7 +72,6 @@ github.com/bsm/redislock v0.9.3 h1:osmvugkXGiLDEhzUPdM0EUtKpTEgLLuli4Ky2Z4vx38= github.com/bsm/redislock v0.9.3/go.mod h1:Epf7AJLiSFwLCiZcfi6pWFO/8eAYrYpQXFxEDPoDeAk= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= -github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= @@ -83,10 +81,6 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= -github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-oidc/v3 v3.6.0 h1:AKVxfYw1Gmkn/w96z0DbT/B/xFnzTd3MkZvWLjF4n/o= @@ -106,7 +100,6 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= @@ -164,7 +157,6 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/gomodule/redigo v1.7.1-0.20190322064113-39e2c31b7ca3 h1:6amM4HsNPOvMLVc2ZnyqrjeQ92YAVWn7T4WBKK87inY= @@ -182,8 +174,8 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= @@ -201,18 +193,18 @@ github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= -github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= -github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= +github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k= -github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.3.1 h1:SBWmZhjUDRorQxrN0nwzf+AHBxnbFjViHQS4P0yVpmQ= +github.com/googleapis/enterprise-certificate-proxy v0.3.1/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gax-go/v2 v2.10.0 h1:ebSgKfMxynOdxw8QQuFOKMgomqeLGPqNLQox2bo42zg= -github.com/googleapis/gax-go/v2 v2.10.0/go.mod h1:4UOEnMCrxsSqQ940WnTiD6qJ63le2ev3xfyagutxiPw= +github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= +github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= @@ -221,7 +213,6 @@ github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoA github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= -github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= @@ -314,7 +305,6 @@ github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40T github.com/redis/go-redis/v9 v9.0.5 h1:CuQcn5HIEeK7BgElubPP8CGtE0KakrnbBSTLjathl5o= github.com/redis/go-redis/v9 v9.0.5/go.mod h1:WqMKv5vnQbRuZstUwxQI195wHy+t4PuXDOjzMvcuQHk= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= -github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= @@ -365,7 +355,6 @@ github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yuin/gopher-lua v0.0.0-20190206043414-8bfc7677f583/go.mod h1:gqRgreBUhTSL0GeU64rtZ3Uq3wtjOa/TB2YfrtkCbVQ= github.com/yuin/gopher-lua v0.0.0-20191213034115-f46add6fdb5c/go.mod h1:gqRgreBUhTSL0GeU64rtZ3Uq3wtjOa/TB2YfrtkCbVQ= github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9 h1:k/gmLsJDWwWqbLCur2yWnJzwQEKRcAHXo6seXGuSwWw= @@ -379,7 +368,6 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= @@ -391,9 +379,7 @@ golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= @@ -432,7 +418,6 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -472,7 +457,6 @@ golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -484,8 +468,8 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= -golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY= +golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -496,9 +480,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI= -golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= +golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -543,13 +526,10 @@ golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -558,7 +538,6 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -615,7 +594,6 @@ golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -640,8 +618,8 @@ google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz513 google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= -google.golang.org/api v0.125.0 h1:7xGvEY4fyWbhWMHf3R2/4w7L4fXyfpRGE9g6lp8+DCk= -google.golang.org/api v0.125.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw= +google.golang.org/api v0.148.0 h1:HBq4TZlN4/1pNcu0geJZ/Q50vIwIXT532UIMYoo0vOs= +google.golang.org/api v0.148.0/go.mod h1:8/TBgwaKjfqTdacOJrOv2+2Q6fBDU1uHKK06oGSkxzU= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -673,7 +651,6 @@ google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= @@ -687,10 +664,10 @@ google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc h1:8DyZCyvI8mE1IdLy/60bS+52xfymkE72wv1asokgtao= -google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc h1:kVKPf/IiYSBWEWtkIn6wZXwWGCnLKcC8oWfZvXjsGnM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc h1:XSJ8Vk1SWuNr8S18z1NZSziL0CPIXLCCMDOEFtHBOFc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 h1:SeZZZx0cP0fqUyA+oRzP9k7cSwJlvDFiROO72uwD6i0= +google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 h1:W18sezcAYs+3tDZX4F80yctqa12jcP1PUS2gQu1zTPU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a h1:a2MQQVoTo96JC9PMGtGBymLp7+/RzpFc2yX/9WfFg1c= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a/go.mod h1:4cYg8o5yUbm77w8ZX00LhMVNl/YVBFJRYWDc0uYWMs0= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -705,14 +682,11 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= -google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag= -google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8= +google.golang.org/grpc v1.58.3 h1:BjnpXut1btbtgN/6sp+brB2Kbm2LjNXnidYujAVbSoQ= +google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -725,8 +699,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -747,7 +721,6 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWD gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/pkg/apis/options/legacy_options.go b/pkg/apis/options/legacy_options.go index 7dfe64e641..99be34b93b 100644 --- a/pkg/apis/options/legacy_options.go +++ b/pkg/apis/options/legacy_options.go @@ -500,6 +500,7 @@ type LegacyProvider struct { GoogleAdminEmail string `flag:"google-admin-email" cfg:"google_admin_email"` GoogleServiceAccountJSON string `flag:"google-service-account-json" cfg:"google_service_account_json"` GoogleUseApplicationDefaultCredentials bool `flag:"google-use-application-default-credentials" cfg:"google_use_application_default_credentials"` + GoogleTargetPrincipal string `flag:"google-target-principal" cfg:"google_target_principal"` // These options allow for other providers besides Google, with // potential overrides. @@ -600,6 +601,7 @@ func legacyGoogleFlagSet() *pflag.FlagSet { flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls") flagSet.String("google-service-account-json", "", "the path to the service account json credentials") flagSet.String("google-use-application-default-credentials", "", "use application default credentials instead of service account json (i.e. GKE Workload Identity)") + flagSet.String("google-target-principal", "", "the targetprincipal to impersonate when using ADC") return flagSet } @@ -741,6 +743,7 @@ func (l *LegacyProvider) convert() (Providers, error) { AdminEmail: l.GoogleAdminEmail, ServiceAccountJSON: l.GoogleServiceAccountJSON, UseApplicationDefaultCredentials: l.GoogleUseApplicationDefaultCredentials, + TargetPrincipal: l.GoogleTargetPrincipal, } } diff --git a/pkg/apis/options/providers.go b/pkg/apis/options/providers.go index c9ec262fc0..9599f239c6 100644 --- a/pkg/apis/options/providers.go +++ b/pkg/apis/options/providers.go @@ -178,19 +178,21 @@ type GitHubOptions struct { type GitLabOptions struct { // Group sets restrict logins to members of this group Group []string `json:"group,omitempty"` - // Projects restricts logins to members of any of these projects + // Projects restricts logins to members of these projects Projects []string `json:"projects,omitempty"` } type GoogleOptions struct { - // Groups sets restrict logins to members of this google group + // Groups sets restrict logins to members of this Google group Groups []string `json:"group,omitempty"` - // AdminEmail is the google admin to impersonate for api calls + // AdminEmail is the Google admin to impersonate for api calls AdminEmail string `json:"adminEmail,omitempty"` // ServiceAccountJSON is the path to the service account json credentials ServiceAccountJSON string `json:"serviceAccountJson,omitempty"` // UseApplicationDefaultCredentials is a boolean whether to use Application Default Credentials instead of a ServiceAccountJSON UseApplicationDefaultCredentials bool `json:"useApplicationDefaultCredentials,omitempty"` + // TargetPrincipal is the Google Service Account used for Application Default Credentials + TargetPrincipal string `json:"targetPrincipal,omitempty"` } type OIDCOptions struct { diff --git a/providers/google.go b/providers/google.go index c0ae5baff3..4f69193020 100644 --- a/providers/google.go +++ b/providers/google.go @@ -14,6 +14,7 @@ import ( "strings" "time" + "cloud.google.com/go/compute/metadata" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" @@ -22,6 +23,7 @@ import ( "golang.org/x/oauth2/google" admin "google.golang.org/api/admin/directory/v1" "google.golang.org/api/googleapi" + "google.golang.org/api/impersonate" "google.golang.org/api/option" ) @@ -231,14 +233,15 @@ func getAdminService(opts options.GoogleOptions) *admin.Service { ctx := context.Background() var client *http.Client if opts.UseApplicationDefaultCredentials { - ts, err := google.FindDefaultCredentialsWithParams(ctx, google.CredentialsParams{ - Subject: opts.AdminEmail, - Scopes: []string{admin.AdminDirectoryGroupReadonlyScope, admin.AdminDirectoryUserReadonlyScope}, + ts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{ + TargetPrincipal: getTargetPrincipal(ctx, opts), + Scopes: []string{admin.AdminDirectoryGroupReadonlyScope, admin.AdminDirectoryUserReadonlyScope}, + Subject: opts.AdminEmail, }) if err != nil { logger.Fatal("failed to fetch application default credentials: ", err) } - client = oauth2.NewClient(ctx, ts.TokenSource) + client = oauth2.NewClient(ctx, ts) } else { credentialsReader, err := os.Open(opts.ServiceAccountJSON) if err != nil { @@ -265,6 +268,36 @@ func getAdminService(opts options.GoogleOptions) *admin.Service { return adminService } +func getTargetPrincipal(ctx context.Context, opts options.GoogleOptions) (targetPrincipal string) { + targetPrincipal = opts.TargetPrincipal + + if targetPrincipal != "" { + return targetPrincipal + } + logger.Print("INFO: no target principal set, trying to automatically determine one instead.") + credential, err := google.FindDefaultCredentials(ctx) + if err != nil { + logger.Fatal("failed to fetch application default credentials: ", err) + } + content := map[string]interface{}{} + + err = json.Unmarshal(credential.JSON, &content) + switch { + case err != nil && !metadata.OnGCE(): + logger.Fatal("unable to unmarshal Application Default Credentials JSON", err) + case content["client_email"] != nil: + targetPrincipal = fmt.Sprintf("%v", content["client_email"]) + case metadata.OnGCE(): + targetPrincipal, err = metadata.Email("") + if err != nil { + logger.Fatal("error while calling the GCE metadata server", err) + } + default: + logger.Fatal("unable to determine Application Default Credentials TargetPrincipal, try overriding with --target-principal instead.") + } + return targetPrincipal +} + func userInGroup(service *admin.Service, group string, email string) bool { // Use the HasMember API to checking for the user's presence in each group or nested subgroups req := service.Members.HasMember(group, email) From 601477a52cf7d4eb4b8e4c36b916d6fbeb1a3468 Mon Sep 17 00:00:00 2001 From: axel7083 <42176370+axel7083@users.noreply.github.com> Date: Wed, 25 Oct 2023 11:25:01 +0200 Subject: [PATCH 06/17] Feature: Allowing relative redirect url though an option (#2183) * Adding relative redirect url option * Updating CHANGELOG.md * tests: adding unit test for getOAuthRedirectURI --------- Co-authored-by: Joel Speed --- CHANGELOG.md | 4 +- docs/docs/configuration/overview.md | 1 + oauthproxy.go | 4 +- oauthproxy_test.go | 87 +++++++++++++++++++++++++++++ pkg/apis/options/options.go | 20 ++++--- 5 files changed, 105 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ec311bb7c3..9c087c2e4a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,10 +7,12 @@ ## Breaking Changes ## Changes since v7.5.1 + - [#2128](https://github.com/oauth2-proxy/oauth2-proxy/pull/2128) Update dependencies (@vllvll) - [#2274](https://github.com/oauth2-proxy/oauth2-proxy/pull/2274) Upgrade golang.org/x/net to v0.17.0 (@pierluigilenoci) - [#2282](https://github.com/oauth2-proxy/oauth2-proxy/pull/2282) Fixed checking Google Groups membership using Google Application Credentials (@kvanzuijlen) - +- [#2183](https://github.com/oauth2-proxy/oauth2-proxy/pull/2183) Allowing relative redirect url though an option +- # V7.5.1 ## Release Highlights diff --git a/docs/docs/configuration/overview.md b/docs/docs/configuration/overview.md index a2a6e75bac..a3629492ba 100644 --- a/docs/docs/configuration/overview.md +++ b/docs/docs/configuration/overview.md @@ -165,6 +165,7 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/ | `--real-client-ip-header` | string | Header used to determine the real IP of the client, requires `--reverse-proxy` to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP) | X-Real-IP | | `--redeem-url` | string | Token redemption endpoint | | | `--redirect-url` | string | the OAuth Redirect URL, e.g. `"https://internalapp.yourcompany.com/oauth2/callback"` | | +| `--relative-redirect-url` | bool | allow relative OAuth Redirect URL.` | | | `--redis-cluster-connection-urls` | string \| list | List of Redis cluster connection URLs (e.g. `redis://HOST[:PORT]`). Used in conjunction with `--redis-use-cluster` | | | `--redis-connection-url` | string | URL of redis server for redis session storage (e.g. `redis://HOST[:PORT]`) | | | `--redis-insecure-skip-tls-verify` | bool | skip TLS verification when connecting to Redis | false | diff --git a/oauthproxy.go b/oauthproxy.go index 10a69b311d..c4b0d51bc3 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -86,6 +86,7 @@ type OAuthProxy struct { allowedRoutes []allowedRoute apiRoutes []apiRoute redirectURL *url.URL // the url to receive requests at + relativeRedirectURL bool whitelistDomains []string provider providers.Provider sessionStore sessionsapi.SessionStore @@ -216,6 +217,7 @@ func NewOAuthProxy(opts *options.Options, validator func(string) bool) (*OAuthPr provider: provider, sessionStore: sessionStore, redirectURL: redirectURL, + relativeRedirectURL: opts.RelativeRedirectURL, apiRoutes: apiRoutes, allowedRoutes: allowedRoutes, whitelistDomains: opts.WhitelistDomains, @@ -1018,7 +1020,7 @@ func prepareNoCacheMiddleware(next http.Handler) http.Handler { // This is usually the OAuthProxy callback URL. func (p *OAuthProxy) getOAuthRedirectURI(req *http.Request) string { // if `p.redirectURL` already has a host, return it - if p.redirectURL.Host != "" { + if p.relativeRedirectURL || p.redirectURL.Host != "" { return p.redirectURL.String() } diff --git a/oauthproxy_test.go b/oauthproxy_test.go index 0d8bc91a6e..85e19f2247 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -3257,3 +3257,90 @@ func TestAuthOnlyAllowedEmails(t *testing.T) { }) } } + +func TestGetOAuthRedirectURI(t *testing.T) { + tests := []struct { + name string + setupOpts func(*options.Options) *options.Options + req *http.Request + want string + }{ + { + name: "redirect with https schema", + setupOpts: func(baseOpts *options.Options) *options.Options { + return baseOpts + }, + req: &http.Request{ + Host: "example", + URL: &url.URL{ + Scheme: schemeHTTPS, + }, + }, + want: "https://example/oauth2/callback", + }, + { + name: "redirect with http schema", + setupOpts: func(baseOpts *options.Options) *options.Options { + baseOpts.Cookie.Secure = false + return baseOpts + }, + req: &http.Request{ + Host: "example", + URL: &url.URL{ + Scheme: schemeHTTP, + }, + }, + want: "http://example/oauth2/callback", + }, + { + name: "relative redirect url", + setupOpts: func(baseOpts *options.Options) *options.Options { + baseOpts.RelativeRedirectURL = true + return baseOpts + }, + req: &http.Request{}, + want: "/oauth2/callback", + }, + { + name: "proxy prefix", + setupOpts: func(baseOpts *options.Options) *options.Options { + baseOpts.ProxyPrefix = "/prefix" + return baseOpts + }, + req: &http.Request{ + Host: "example", + URL: &url.URL{ + Scheme: schemeHTTP, + }, + }, + want: "https://example/prefix/callback", + }, + { + name: "proxy prefix with relative redirect", + setupOpts: func(baseOpts *options.Options) *options.Options { + baseOpts.ProxyPrefix = "/prefix" + baseOpts.RelativeRedirectURL = true + return baseOpts + }, + req: &http.Request{ + Host: "example", + URL: &url.URL{ + Scheme: schemeHTTP, + }, + }, + want: "/prefix/callback", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + baseOpts := baseTestOptions() + err := validation.Validate(baseOpts) + assert.NoError(t, err) + + proxy, err := NewOAuthProxy(tt.setupOpts(baseOpts), func(string) bool { return true }) + assert.NoError(t, err) + + assert.Equalf(t, tt.want, proxy.getOAuthRedirectURI(tt.req), "getOAuthRedirectURI(%v)", tt.req) + }) + } +} diff --git a/pkg/apis/options/options.go b/pkg/apis/options/options.go index 0af8df3fc6..ecf9280866 100644 --- a/pkg/apis/options/options.go +++ b/pkg/apis/options/options.go @@ -18,15 +18,16 @@ type SignatureData struct { // Options holds Configuration Options that can be set by Command Line Flag, // or Config File type Options struct { - ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy_prefix"` - PingPath string `flag:"ping-path" cfg:"ping_path"` - PingUserAgent string `flag:"ping-user-agent" cfg:"ping_user_agent"` - ReadyPath string `flag:"ready-path" cfg:"ready_path"` - ReverseProxy bool `flag:"reverse-proxy" cfg:"reverse_proxy"` - RealClientIPHeader string `flag:"real-client-ip-header" cfg:"real_client_ip_header"` - TrustedIPs []string `flag:"trusted-ip" cfg:"trusted_ips"` - ForceHTTPS bool `flag:"force-https" cfg:"force_https"` - RawRedirectURL string `flag:"redirect-url" cfg:"redirect_url"` + ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy_prefix"` + PingPath string `flag:"ping-path" cfg:"ping_path"` + PingUserAgent string `flag:"ping-user-agent" cfg:"ping_user_agent"` + ReadyPath string `flag:"ready-path" cfg:"ready_path"` + ReverseProxy bool `flag:"reverse-proxy" cfg:"reverse_proxy"` + RealClientIPHeader string `flag:"real-client-ip-header" cfg:"real_client_ip_header"` + TrustedIPs []string `flag:"trusted-ip" cfg:"trusted_ips"` + ForceHTTPS bool `flag:"force-https" cfg:"force_https"` + RawRedirectURL string `flag:"redirect-url" cfg:"redirect_url"` + RelativeRedirectURL bool `flag:"relative-redirect-url" cfg:"relative_redirect_url"` AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"` EmailDomains []string `flag:"email-domain" cfg:"email_domains"` @@ -117,6 +118,7 @@ func NewFlagSet() *pflag.FlagSet { flagSet.StringSlice("trusted-ip", []string{}, "list of IPs or CIDR ranges to allow to bypass authentication. WARNING: trusting by IP has inherent security flaws, read the configuration documentation for more information.") flagSet.Bool("force-https", false, "force HTTPS redirect for HTTP requests") flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"") + flagSet.Bool("relative-redirect-url", false, "allow relative OAuth Redirect URL.") flagSet.StringSlice("skip-auth-regex", []string{}, "(DEPRECATED for --skip-auth-route) bypass authentication for requests path's that match (may be given multiple times)") flagSet.StringSlice("skip-auth-route", []string{}, "bypass authentication for requests that match the method & path. Format: method=path_regex OR method!=path_regex. For all methods: path_regex OR !=path_regex") flagSet.StringSlice("api-route", []string{}, "return HTTP 401 instead of redirecting to authentication server if token is not valid. Format: path_regex") From a5006fd60623fda8d80f12f18172bc2d9acf1a8d Mon Sep 17 00:00:00 2001 From: emsixteeen Date: Wed, 25 Oct 2023 06:36:17 -0400 Subject: [PATCH 07/17] Issue: 2236 - adds an option to append CA certificates (#2237) * adding append option for custom CA certs * updated test for changed GetCertPool signature, added testing to check functionality of empty and non-empty store * adding legacy options as well * update associated documentation * fixing code climate complaints - reduce number of return statements * Apply suggestions from code review Changes caFilesAppend (and variants) to useSystemTrustStore Co-authored-by: Jan Larwig * Apply suggestions from code review Fixes extra whitespaces and grammar. Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> * fix indentation * update changelog --------- Co-authored-by: Jan Larwig Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Co-authored-by: Joel Speed --- CHANGELOG.md | 1 + docs/docs/configuration/alpha_config.md | 1 + docs/docs/configuration/overview.md | 1 + pkg/apis/options/legacy_options.go | 3 ++ pkg/apis/options/providers.go | 4 +- pkg/util/util.go | 33 ++++++++++++- pkg/util/util_test.go | 64 ++++++++++++++++--------- pkg/validation/options.go | 2 +- 8 files changed, 82 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c087c2e4a..bf6e7c96b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ## Changes since v7.5.1 +- [#2237](https://github.com/oauth2-proxy/oauth2-proxy/pull/2237) adds an option to append CA certificates (@emsixteeen) - [#2128](https://github.com/oauth2-proxy/oauth2-proxy/pull/2128) Update dependencies (@vllvll) - [#2274](https://github.com/oauth2-proxy/oauth2-proxy/pull/2274) Upgrade golang.org/x/net to v0.17.0 (@pierluigilenoci) - [#2282](https://github.com/oauth2-proxy/oauth2-proxy/pull/2282) Fixed checking Google Groups membership using Google Application Credentials (@kvanzuijlen) diff --git a/docs/docs/configuration/alpha_config.md b/docs/docs/configuration/alpha_config.md index a72dc63982..8141f477d0 100644 --- a/docs/docs/configuration/alpha_config.md +++ b/docs/docs/configuration/alpha_config.md @@ -415,6 +415,7 @@ Provider holds all configuration for a single provider | `provider` | _[ProviderType](#providertype)_ | Type is the OAuth provider
must be set from the supported providers group,
otherwise 'Google' is set as default | | `name` | _string_ | Name is the providers display name
if set, it will be shown to the users in the login page. | | `caFiles` | _[]string_ | CAFiles is a list of paths to CA certificates that should be used when connecting to the provider.
If not specified, the default Go trust sources are used instead | +| `useSystemTrustStore` | _bool_ | UseSystemTrustStore determines if your custom CA files and the system trust store are used
If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. | | `loginURL` | _string_ | LoginURL is the authentication endpoint | | `loginURLParameters` | _[[]LoginURLParameter](#loginurlparameter)_ | LoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL | | `redeemURL` | _string_ | RedeemURL is the token redemption endpoint | diff --git a/docs/docs/configuration/overview.md b/docs/docs/configuration/overview.md index a3629492ba..36848ca6f7 100644 --- a/docs/docs/configuration/overview.md +++ b/docs/docs/configuration/overview.md @@ -154,6 +154,7 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/ | `--prompt` | string | [OIDC prompt](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest); if present, `approval-prompt` is ignored | `""` | | `--provider` | string | OAuth provider | google | | `--provider-ca-file` | string \| list | Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead. | +| `--use-system-trust-store` | bool | Determines if `provider-ca-file` files and the system trust store are used. If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. | false | | `--provider-display-name` | string | Override the provider's name with the given string; used for the sign-in page | (depends on provider) | | `--ping-path` | string | the ping endpoint that can be used for basic health checks | `"/ping"` | | `--ping-user-agent` | string | a User-Agent that can be used for basic health checks | `""` (don't check user agent) | diff --git a/pkg/apis/options/legacy_options.go b/pkg/apis/options/legacy_options.go index 99be34b93b..1bb061047e 100644 --- a/pkg/apis/options/legacy_options.go +++ b/pkg/apis/options/legacy_options.go @@ -507,6 +507,7 @@ type LegacyProvider struct { ProviderType string `flag:"provider" cfg:"provider"` ProviderName string `flag:"provider-display-name" cfg:"provider_display_name"` ProviderCAFiles []string `flag:"provider-ca-file" cfg:"provider_ca_files"` + UseSystemTrustStore bool `flag:"use-system-trust-store" cfg:"use_system_trust_store"` OIDCIssuerURL string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url"` InsecureOIDCAllowUnverifiedEmail bool `flag:"insecure-oidc-allow-unverified-email" cfg:"insecure_oidc_allow_unverified_email"` InsecureOIDCSkipIssuerVerification bool `flag:"insecure-oidc-skip-issuer-verification" cfg:"insecure_oidc_skip_issuer_verification"` @@ -561,6 +562,7 @@ func legacyProviderFlagSet() *pflag.FlagSet { flagSet.String("provider", "google", "OAuth provider") flagSet.String("provider-display-name", "", "Provider display name") flagSet.StringSlice("provider-ca-file", []string{}, "One or more paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead.") + flagSet.Bool("use-system-trust-store", false, "Determines if 'provider-ca-file' files and the system trust store are used. If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files.") flagSet.String("oidc-issuer-url", "", "OpenID Connect issuer URL (ie: https://accounts.google.com)") flagSet.Bool("insecure-oidc-allow-unverified-email", false, "Don't fail if an email address in an id_token is not verified") flagSet.Bool("insecure-oidc-skip-issuer-verification", false, "Do not verify if issuer matches OIDC discovery URL") @@ -659,6 +661,7 @@ func (l *LegacyProvider) convert() (Providers, error) { ClientSecretFile: l.ClientSecretFile, Type: ProviderType(l.ProviderType), CAFiles: l.ProviderCAFiles, + UseSystemTrustStore: l.UseSystemTrustStore, LoginURL: l.LoginURL, RedeemURL: l.RedeemURL, ProfileURL: l.ProfileURL, diff --git a/pkg/apis/options/providers.go b/pkg/apis/options/providers.go index 9599f239c6..8820f34554 100644 --- a/pkg/apis/options/providers.go +++ b/pkg/apis/options/providers.go @@ -59,7 +59,9 @@ type Provider struct { // CAFiles is a list of paths to CA certificates that should be used when connecting to the provider. // If not specified, the default Go trust sources are used instead CAFiles []string `json:"caFiles,omitempty"` - + // UseSystemTrustStore determines if your custom CA files and the system trust store are used + // If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. + UseSystemTrustStore bool `json:"useSystemTrustStore,omitempty"` // LoginURL is the authentication endpoint LoginURL string `json:"loginURL,omitempty"` // LoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL diff --git a/pkg/util/util.go b/pkg/util/util.go index a4425d9b74..0f3d70ad85 100644 --- a/pkg/util/util.go +++ b/pkg/util/util.go @@ -14,11 +14,40 @@ import ( "time" ) -func GetCertPool(paths []string) (*x509.CertPool, error) { +func GetCertPool(paths []string, useSystemPool bool) (*x509.CertPool, error) { if len(paths) == 0 { return nil, fmt.Errorf("invalid empty list of Root CAs file paths") } - pool := x509.NewCertPool() + + var pool *x509.CertPool + if useSystemPool { + rootPool, err := getSystemCertPool() + if err != nil { + return nil, fmt.Errorf("unable to get SystemCertPool when append is true - #{err}") + } + pool = rootPool + } else { + pool = x509.NewCertPool() + } + + return loadCertsFromPaths(paths, pool) + +} + +func getSystemCertPool() (*x509.CertPool, error) { + rootPool, err := x509.SystemCertPool() + if err != nil { + return nil, err + } + + if rootPool == nil { + return nil, fmt.Errorf("SystemCertPool is empty") + } + + return rootPool, nil +} + +func loadCertsFromPaths(paths []string, pool *x509.CertPool) (*x509.CertPool, error) { for _, path := range paths { // Cert paths are a configurable option data, err := os.ReadFile(path) // #nosec G304 diff --git a/pkg/util/util_test.go b/pkg/util/util_test.go index b8eff50293..167c3e59ac 100644 --- a/pkg/util/util_test.go +++ b/pkg/util/util_test.go @@ -190,7 +190,7 @@ func makeTestCertFile(t *testing.T, pem, dir string) *os.File { } func TestGetCertPool_NoRoots(t *testing.T) { - _, err := GetCertPool([]string(nil)) + _, err := GetCertPool([]string(nil), false) assert.Error(t, err, "invalid empty list of Root CAs file paths") } @@ -204,34 +204,52 @@ func TestGetCertPool(t *testing.T) { } }(tempDir) + rootPool, _ := x509.SystemCertPool() + cleanPool := x509.NewCertPool() + + tests := []struct { + appendCerts bool + pool *x509.CertPool + }{ + {false, cleanPool}, + {true, rootPool}, + } + certFile1 := makeTestCertFile(t, root1Cert, tempDir) certFile2 := makeTestCertFile(t, root2Cert, tempDir) - certPool, err := GetCertPool([]string{certFile1.Name(), certFile2.Name()}) - assert.NoError(t, err) + for _, tc := range tests { + // Append certs to "known" pool so we can compare them + assert.True(t, tc.pool.AppendCertsFromPEM([]byte(root1Cert))) + assert.True(t, tc.pool.AppendCertsFromPEM([]byte(root2Cert))) - cert1Block, _ := pem.Decode([]byte(cert1Cert)) - cert1, _ := x509.ParseCertificate(cert1Block.Bytes) - assert.Equal(t, cert1.Subject.String(), cert1CertSubj) + certPool, err := GetCertPool([]string{certFile1.Name(), certFile2.Name()}, tc.appendCerts) + assert.NoError(t, err) + assert.True(t, tc.pool.Equal(certPool)) - cert2Block, _ := pem.Decode([]byte(cert2Cert)) - cert2, _ := x509.ParseCertificate(cert2Block.Bytes) - assert.Equal(t, cert2.Subject.String(), cert2CertSubj) + cert1Block, _ := pem.Decode([]byte(cert1Cert)) + cert1, _ := x509.ParseCertificate(cert1Block.Bytes) + assert.Equal(t, cert1.Subject.String(), cert1CertSubj) - cert3Block, _ := pem.Decode([]byte(cert3Cert)) - cert3, _ := x509.ParseCertificate(cert3Block.Bytes) - assert.Equal(t, cert3.Subject.String(), cert3CertSubj) + cert2Block, _ := pem.Decode([]byte(cert2Cert)) + cert2, _ := x509.ParseCertificate(cert2Block.Bytes) + assert.Equal(t, cert2.Subject.String(), cert2CertSubj) - opts := x509.VerifyOptions{ - Roots: certPool, - } + cert3Block, _ := pem.Decode([]byte(cert3Cert)) + cert3, _ := x509.ParseCertificate(cert3Block.Bytes) + assert.Equal(t, cert3.Subject.String(), cert3CertSubj) + + opts := x509.VerifyOptions{ + Roots: certPool, + } - // "cert1" and "cert2" should be valid because "root1" and "root2" are in the certPool - // "cert3" should not be valid because "root3" is not in the certPool - _, err1 := cert1.Verify(opts) - assert.NoError(t, err1) - _, err2 := cert2.Verify(opts) - assert.NoError(t, err2) - _, err3 := cert3.Verify(opts) - assert.Error(t, err3) + // "cert1" and "cert2" should be valid because "root1" and "root2" are in the certPool + // "cert3" should not be valid because "root3" is not in the certPool + _, err1 := cert1.Verify(opts) + assert.NoError(t, err1) + _, err2 := cert2.Verify(opts) + assert.NoError(t, err2) + _, err3 := cert3.Verify(opts) + assert.Error(t, err3) + } } diff --git a/pkg/validation/options.go b/pkg/validation/options.go index a3ce0518ec..8c804829f1 100644 --- a/pkg/validation/options.go +++ b/pkg/validation/options.go @@ -37,7 +37,7 @@ func Validate(o *options.Options) error { } http.DefaultClient = &http.Client{Transport: insecureTransport} } else if len(o.Providers[0].CAFiles) > 0 { - pool, err := util.GetCertPool(o.Providers[0].CAFiles) + pool, err := util.GetCertPool(o.Providers[0].CAFiles, o.Providers[0].UseSystemTrustStore) if err == nil { transport := http.DefaultTransport.(*http.Transport).Clone() transport.TLSClientConfig = &tls.Config{ From 7f6109f4697268e1cbc89e1214ace519be4cbccd Mon Sep 17 00:00:00 2001 From: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Wed, 25 Oct 2023 12:37:32 +0200 Subject: [PATCH 08/17] Added an automatic PR labeler (#2286) * Added an automatic PR labeler * Update .github/workflows/labeler.yaml Co-authored-by: Jan Larwig --------- Co-authored-by: Jan Larwig --- .github/labeler.yml | 14 ++++++++++++++ .github/workflows/labeler.yaml | 14 ++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 .github/labeler.yml create mode 100644 .github/workflows/labeler.yaml diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000000..e4e0fa8acd --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,14 @@ +go: + - changed-files: '**/*.go' + +docs: + - changed-files: 'docs/**/*' + +changelog: + - changed-files: 'CHANGELOG.md' + +tests: + - changed-files: '**/*_test.go' + +provider: + - changed-files: 'providers/**/*' diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml new file mode 100644 index 0000000000..9d6bce24eb --- /dev/null +++ b/.github/workflows/labeler.yaml @@ -0,0 +1,14 @@ +name: "Pull Request Labeler" +on: + pull_request_target: + +jobs: + triage: + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - uses: actions/labeler@v5 + with: + sync-labels: true From d41141f23b6e5612d00543700355157ecf65ce05 Mon Sep 17 00:00:00 2001 From: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Wed, 25 Oct 2023 13:26:30 +0200 Subject: [PATCH 09/17] Update labeler.yaml (#2289) --- .github/workflows/labeler.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml index 9d6bce24eb..bdc5f5c528 100644 --- a/.github/workflows/labeler.yaml +++ b/.github/workflows/labeler.yaml @@ -9,6 +9,6 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v5 + - uses: actions/labeler@v5.0.0-beta.1 with: sync-labels: true From 0061bbeaee8c000fe61dc061bce1f2e4953a48d2 Mon Sep 17 00:00:00 2001 From: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Wed, 25 Oct 2023 16:12:49 +0200 Subject: [PATCH 10/17] Rolled back labeler to v4 (#2290) --- .github/labeler.yml | 10 +++++----- .github/workflows/labeler.yaml | 3 ++- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index e4e0fa8acd..e98f674884 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -1,14 +1,14 @@ go: - - changed-files: '**/*.go' + - '**/*.go' docs: - - changed-files: 'docs/**/*' + - 'docs/**/*' changelog: - - changed-files: 'CHANGELOG.md' + - 'CHANGELOG.md' tests: - - changed-files: '**/*_test.go' + - '**/*_test.go' provider: - - changed-files: 'providers/**/*' + - 'providers/**/*' diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml index bdc5f5c528..33711f2f67 100644 --- a/.github/workflows/labeler.yaml +++ b/.github/workflows/labeler.yaml @@ -11,4 +11,5 @@ jobs: steps: - uses: actions/labeler@v5.0.0-beta.1 with: - sync-labels: true + sync: true + dot: true From 4816e873165f266bd0b1e29d36de323ad6fe4db2 Mon Sep 17 00:00:00 2001 From: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Wed, 25 Oct 2023 20:14:52 +0200 Subject: [PATCH 11/17] Actually rolled back labeler (#2291) --- .github/workflows/labeler.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml index 33711f2f67..dfa1383bc7 100644 --- a/.github/workflows/labeler.yaml +++ b/.github/workflows/labeler.yaml @@ -9,7 +9,7 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v5.0.0-beta.1 + - uses: actions/labeler@v4 with: sync: true dot: true From 70571d96e163bbf0481d8fc816b8bb3d63747b77 Mon Sep 17 00:00:00 2001 From: Damien Degois Date: Thu, 26 Oct 2023 11:57:00 +0200 Subject: [PATCH 12/17] Add support for unix socket as upstream (#1866) * Add support for unix socket as upstream * Add CHANGELOG.md entry * Add Unix socket documentation * Don't export unixRoundTripper, switch from string prefix to Scheme match * Add basic unix server mock * Add some tests and comments --- CHANGELOG.md | 1 + docs/docs/configuration/overview.md | 6 ++++- pkg/apis/options/legacy_options.go | 2 ++ pkg/upstream/http.go | 35 ++++++++++++++++++++++++++++- pkg/upstream/http_test.go | 23 +++++++++++++++++++ pkg/upstream/proxy.go | 4 ++-- pkg/upstream/proxy_test.go | 26 +++++++++++++++++++++ pkg/upstream/upstream_suite_test.go | 18 +++++++++++---- pkg/validation/upstreams.go | 2 +- 9 files changed, 108 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bf6e7c96b6..31e5b55e14 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ - [#2274](https://github.com/oauth2-proxy/oauth2-proxy/pull/2274) Upgrade golang.org/x/net to v0.17.0 (@pierluigilenoci) - [#2282](https://github.com/oauth2-proxy/oauth2-proxy/pull/2282) Fixed checking Google Groups membership using Google Application Credentials (@kvanzuijlen) - [#2183](https://github.com/oauth2-proxy/oauth2-proxy/pull/2183) Allowing relative redirect url though an option +- [#1866](https://github.com/oauth2-proxy/oauth2-proxy/pull/1866) Add support for unix socker as upstream (@babs) - # V7.5.1 diff --git a/docs/docs/configuration/overview.md b/docs/docs/configuration/overview.md index 36848ca6f7..e5613c6115 100644 --- a/docs/docs/configuration/overview.md +++ b/docs/docs/configuration/overview.md @@ -223,7 +223,11 @@ See below for provider specific options ### Upstreams Configuration -`oauth2-proxy` supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as `http://127.0.0.1:8080/` for the upstream parameter. This will forward all authenticated requests to the upstream server. If you instead provide `http://127.0.0.1:8080/some/path/` then it will only be requests that start with `/some/path/` which are forwarded to the upstream. +`oauth2-proxy` supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers, unix socket or serve static files from the file system. + +HTTP and HTTPS upstreams are configured by providing a URL such as `http://127.0.0.1:8080/` for the upstream parameter. . This will forward all authenticated requests to the upstream server. If you instead provide `http://127.0.0.1:8080/some/path/` then it will only be requests that start with `/some/path/` which are forwarded to the upstream. + +Unix socket upstreams are configured as `unix:///path/to/unix.sock`. Static file paths are configured as a file:// URL. `file:///var/www/static/` will serve the files from that directory at `http://[oauth2-proxy url]/var/www/static/`, which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. `file:///var/www/static/#/static/` will make `/var/www/static/` available at `http://[oauth2-proxy url]/static/`. diff --git a/pkg/apis/options/legacy_options.go b/pkg/apis/options/legacy_options.go index 1bb061047e..fcd1f3d3d3 100644 --- a/pkg/apis/options/legacy_options.go +++ b/pkg/apis/options/legacy_options.go @@ -176,6 +176,8 @@ func (l *LegacyUpstreams) convert() (UpstreamConfig, error) { upstream.ProxyWebSockets = nil upstream.FlushInterval = nil upstream.Timeout = nil + case "unix": + upstream.Path = "/" } upstreams.Upstreams = append(upstreams.Upstreams, upstream) diff --git a/pkg/upstream/http.go b/pkg/upstream/http.go index 031368e543..56fcc23e79 100644 --- a/pkg/upstream/http.go +++ b/pkg/upstream/http.go @@ -1,6 +1,8 @@ package upstream import ( + "context" + "net" "net/http" "net/http/httputil" "net/url" @@ -18,6 +20,7 @@ const ( httpScheme = "http" httpsScheme = "https" + unixScheme = "unix" ) // SignatureHeaders contains the headers to be signed by the hmac algorithm @@ -40,7 +43,10 @@ var SignatureHeaders = []string{ // to a single upstream host. func newHTTPUpstreamProxy(upstream options.Upstream, u *url.URL, sigData *options.SignatureData, errorHandler ProxyErrorHandler) http.Handler { // Set path to empty so that request paths start at the server root - u.Path = "" + // Unix scheme need the path to find the socket + if u.Scheme != "unix" { + u.Path = "" + } // Create a ReverseProxy proxy := newReverseProxy(u, upstream, errorHandler) @@ -92,6 +98,25 @@ func (h *httpUpstreamProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) } } +// Unix implementation of http.RoundTripper, required to register unix protocol in reverse proxy +type unixRoundTripper struct { + Transport *http.Transport +} + +// Implementation of https://pkg.go.dev/net/http#RoundTripper interface to support http protocol over unix socket +func (t *unixRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { + // Inspired by https://github.com/tv42/httpunix + // Not having a Host, even if not used, makes the reverseproxy fail with a "no Host in request URL" + if req.Host == "" { + req.Host = "localhost" + } + req.URL.Host = req.Host + tt := t.Transport + req = req.Clone(req.Context()) + req.URL.Scheme = "http" + return tt.RoundTrip(req) +} + // newReverseProxy creates a new reverse proxy for proxying requests to upstream // servers based on the upstream configuration provided. // The proxy should render an error page if there are failures connecting to the @@ -102,6 +127,14 @@ func newReverseProxy(target *url.URL, upstream options.Upstream, errorHandler Pr // Inherit default transport options from Go's stdlib transport := http.DefaultTransport.(*http.Transport).Clone() + if target.Scheme == "unix" { + transport.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) { + dialer := net.Dialer{} + return dialer.DialContext(ctx, target.Scheme, target.Path) + } + transport.RegisterProtocol(target.Scheme, &unixRoundTripper{Transport: transport}) + } + // Change default duration for waiting for an upstream response if upstream.Timeout != nil { transport.ResponseHeaderTimeout = upstream.Timeout.Duration() diff --git a/pkg/upstream/http_test.go b/pkg/upstream/http_test.go index 23753086c3..b18815a2bd 100644 --- a/pkg/upstream/http_test.go +++ b/pkg/upstream/http_test.go @@ -312,6 +312,29 @@ var _ = Describe("HTTP Upstream Suite", func() { }, expectedUpstream: "passExistingHostHeader", }), + Entry("request using UNIX socket upstream", &httpUpstreamTableInput{ + id: "unix-upstream", + serverAddr: &unixServerAddr, + target: "http://example.localhost/file", + method: "GET", + body: []byte{}, + errorHandler: nil, + expectedResponse: testHTTPResponse{ + code: 200, + header: map[string][]string{ + contentType: {applicationJSON}, + }, + request: testHTTPRequest{ + Method: "GET", + URL: "http://example.localhost/file", + Header: map[string][]string{}, + Body: []byte{}, + Host: "example.localhost", + RequestURI: "http://example.localhost/file", + }, + }, + expectedUpstream: "unix-upstream", + }), ) It("ServeHTTP, when not passing a host header", func() { diff --git a/pkg/upstream/proxy.go b/pkg/upstream/proxy.go index eabb47ff7e..0f3f574004 100644 --- a/pkg/upstream/proxy.go +++ b/pkg/upstream/proxy.go @@ -48,9 +48,9 @@ func NewProxy(upstreams options.UpstreamConfig, sigData *options.SignatureData, if err := m.registerFileServer(upstream, u, writer); err != nil { return nil, fmt.Errorf("could not register file upstream %q: %v", upstream.ID, err) } - case httpScheme, httpsScheme: + case httpScheme, httpsScheme, unixScheme: if err := m.registerHTTPUpstreamProxy(upstream, u, sigData, writer); err != nil { - return nil, fmt.Errorf("could not register HTTP upstream %q: %v", upstream.ID, err) + return nil, fmt.Errorf("could not register %s upstream %q: %v", u.Scheme, upstream.ID, err) } default: return nil, fmt.Errorf("unknown scheme for upstream %q: %q", upstream.ID, u.Scheme) diff --git a/pkg/upstream/proxy_test.go b/pkg/upstream/proxy_test.go index 87c27e4bfe..374c59c55b 100644 --- a/pkg/upstream/proxy_test.go +++ b/pkg/upstream/proxy_test.go @@ -98,6 +98,11 @@ var _ = Describe("Proxy Suite", func() { RewriteTarget: "/double-match/rewrite/$1", URI: serverAddr, }, + { + ID: "unix-upstream", + Path: "/unix/", + URI: unixServerAddr, + }, } } @@ -337,6 +342,27 @@ var _ = Describe("Proxy Suite", func() { }, upstream: "", }), + Entry("with a request to the UNIX socket backend", &proxyTableInput{ + target: "http://example.localhost/unix/file", + response: testHTTPResponse{ + code: 200, + header: map[string][]string{ + contentType: {applicationJSON}, + }, + request: testHTTPRequest{ + Method: "GET", + URL: "http://example.localhost/unix/file", + Header: map[string][]string{ + "Gap-Auth": {""}, + "Gap-Signature": {"sha256 4ux8esLj2fw9sTWZwgFhb00bGbw0Fnhed5Fm9jz5Blw="}, + }, + Body: []byte{}, + Host: "example.localhost", + RequestURI: "http://example.localhost/unix/file", + }, + }, + upstream: "unix-upstream", + }), ) }) diff --git a/pkg/upstream/upstream_suite_test.go b/pkg/upstream/upstream_suite_test.go index 95eb681191..ecb8d0b72a 100644 --- a/pkg/upstream/upstream_suite_test.go +++ b/pkg/upstream/upstream_suite_test.go @@ -5,6 +5,7 @@ import ( "fmt" "io" "log" + "net" "net/http" "net/http/httptest" "os" @@ -18,10 +19,12 @@ import ( ) var ( - filesDir string - server *httptest.Server - serverAddr string - invalidServer = "http://::1" + filesDir string + server *httptest.Server + serverAddr string + unixServer *httptest.Server + unixServerAddr string + invalidServer = "http://::1" ) func TestUpstreamSuite(t *testing.T) { @@ -46,10 +49,17 @@ var _ = BeforeSuite(func() { // Set up a webserver that reflects requests server = httptest.NewServer(&testHTTPUpstream{}) serverAddr = fmt.Sprintf("http://%s", server.Listener.Addr().String()) + + unixServer = httptest.NewUnstartedServer(&testHTTPUpstream{}) + unixListener, _ := net.Listen("unix", path.Join(filesDir, "test.sock")) + unixServer.Listener = unixListener + unixServer.Start() + unixServerAddr = fmt.Sprintf("unix://%s", path.Join(filesDir, "test.sock")) }) var _ = AfterSuite(func() { server.Close() + unixServer.Close() Expect(os.RemoveAll(filesDir)).To(Succeed()) }) diff --git a/pkg/validation/upstreams.go b/pkg/validation/upstreams.go index ba1e216a95..bafed628d7 100644 --- a/pkg/validation/upstreams.go +++ b/pkg/validation/upstreams.go @@ -102,7 +102,7 @@ func validateUpstreamURI(upstream options.Upstream) []string { } switch u.Scheme { - case "http", "https", "file": + case "http", "https", "file", "unix": // Valid, do nothing default: msgs = append(msgs, fmt.Sprintf("upstream %q has invalid scheme: %q", upstream.ID, u.Scheme)) From a53da415c9afd00afbf3dbc59cd578c2d66af511 Mon Sep 17 00:00:00 2001 From: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Thu, 26 Oct 2023 11:57:34 +0200 Subject: [PATCH 13/17] Additional labels (#2293) * Added docker and dependencies labels * Updated docs label to include all MarkDown related changes --- .github/labeler.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index e98f674884..f79458b1c5 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -2,7 +2,7 @@ go: - '**/*.go' docs: - - 'docs/**/*' + - '**/*.md' changelog: - 'CHANGELOG.md' @@ -12,3 +12,10 @@ tests: provider: - 'providers/**/*' + +dependencies: + - 'go.mod' + - 'go.sum' + +docker: + - '**/Dockerfile' From 76bc2cf73fb643143a69df7a39bd85685355ebdc Mon Sep 17 00:00:00 2001 From: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Tue, 31 Oct 2023 20:32:59 +0100 Subject: [PATCH 14/17] Refactored docs (#2284) * Refactored documentation for providers * Lots of fixes - Fixed grammar/typos - Fixed sidebar config - Enabled additional prism languages * Removed useless spaces * Fixed leftover typos * Fixes for verify-generate * Updated package-lock.json --- docs/docs/configuration/alpha_config.md | 10 +- docs/docs/configuration/alpha_config.md.tmpl | 6 +- docs/docs/configuration/auth.md | 692 ----------- docs/docs/configuration/overview.md | 221 ++-- docs/docs/configuration/providers/adfs.md | 19 + docs/docs/configuration/providers/azure.md | 46 + docs/docs/configuration/providers/azure_ad.md | 9 + .../docs/configuration/providers/bitbucket.md | 25 + .../configuration/providers/digitalocean.md | 21 + docs/docs/configuration/providers/facebook.md | 7 + docs/docs/configuration/providers/gitea.md | 20 + docs/docs/configuration/providers/github.md | 43 + docs/docs/configuration/providers/gitlab.md | 36 + docs/docs/configuration/providers/google.md | 63 + docs/docs/configuration/providers/index.md | 42 + docs/docs/configuration/providers/keycloak.md | 36 + .../configuration/providers/keycloak_oidc.md | 143 +++ docs/docs/configuration/providers/linkedin.md | 13 + .../docs/configuration/providers/login_gov.md | 79 ++ .../docs/configuration/providers/nextcloud.md | 28 + .../configuration/providers/openid_connect.md | 146 +++ docs/docs/configuration/sessions.md | 15 +- docs/docs/features/endpoints.md | 8 +- docs/docs/installation.md | 18 +- docs/docusaurus.config.js | 3 + docs/package-lock.json | 1076 +++++++++-------- docs/package.json | 4 +- docs/sidebars.js | 45 +- pkg/apis/options/legacy_options.go | 2 +- pkg/apis/options/upstreams.go | 4 +- 30 files changed, 1502 insertions(+), 1378 deletions(-) delete mode 100644 docs/docs/configuration/auth.md create mode 100644 docs/docs/configuration/providers/adfs.md create mode 100644 docs/docs/configuration/providers/azure.md create mode 100644 docs/docs/configuration/providers/azure_ad.md create mode 100644 docs/docs/configuration/providers/bitbucket.md create mode 100644 docs/docs/configuration/providers/digitalocean.md create mode 100644 docs/docs/configuration/providers/facebook.md create mode 100644 docs/docs/configuration/providers/gitea.md create mode 100644 docs/docs/configuration/providers/github.md create mode 100644 docs/docs/configuration/providers/gitlab.md create mode 100644 docs/docs/configuration/providers/google.md create mode 100644 docs/docs/configuration/providers/index.md create mode 100644 docs/docs/configuration/providers/keycloak.md create mode 100644 docs/docs/configuration/providers/keycloak_oidc.md create mode 100644 docs/docs/configuration/providers/linkedin.md create mode 100644 docs/docs/configuration/providers/login_gov.md create mode 100644 docs/docs/configuration/providers/nextcloud.md create mode 100644 docs/docs/configuration/providers/openid_connect.md diff --git a/docs/docs/configuration/alpha_config.md b/docs/docs/configuration/alpha_config.md index 8141f477d0..fbbc538443 100644 --- a/docs/docs/configuration/alpha_config.md +++ b/docs/docs/configuration/alpha_config.md @@ -23,13 +23,13 @@ When using alpha configuration, your config file will look something like below: ```yaml upstreams: - id: ... - ... + ...: ... injectRequestHeaders: - name: ... - ... + ...: ... injectResponseHeaders: - name: ... - ... + ...: ... ``` Please browse the [reference](#configuration-reference) below for the structure @@ -512,7 +512,7 @@ Requests will be proxied to this upstream if the path matches the request path. | `path` | _string_ | Path is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
Path can also take a pattern when used with RewriteTarget.
Path segments can be captured and matched using regular experessions.
Eg:
- `^/foo$`: Match only the explicit path `/foo`
- `^/bar/$`: Match any path prefixed with `/bar/`
- `^/baz/(.*)$`: Match any path prefixed with `/baz` and capture the remaining path for use with RewriteTarget | | `rewriteTarget` | _string_ | RewriteTarget allows users to rewrite the request path before it is sent to
the upstream server.
Use the Path to capture segments for reuse within the rewrite target.
Eg: With a Path of `^/baz/(.*)`, a RewriteTarget of `/foo/$1` would rewrite
the request `/baz/abc/123` to `/foo/abc/123` before proxying to the
upstream server. | | `uri` | _string_ | The URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir". | -| `insecureSkipTLSVerify` | _bool_ | InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false. | +| `insecureSkipTLSVerify` | _bool_ | InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
between OAuth2 Proxy and the upstream server.
Defaults to false. | | `static` | _bool_ | Static will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response. | | `staticCode` | _int_ | StaticCode determines the response code for the Static response.
This option can only be used with Static enabled. | | `flushInterval` | _[Duration](#duration)_ | FlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second. | @@ -528,5 +528,5 @@ UpstreamConfig is a collection of definitions for upstream servers. | Field | Type | Description | | ----- | ---- | ----------- | -| `proxyRawPath` | _bool_ | ProxyRawPath will pass the raw url path to upstream allowing for url's
like: "/%2F/" which would otherwise be redirected to "/" | +| `proxyRawPath` | _bool_ | ProxyRawPath will pass the raw url path to upstream allowing for urls
like: "/%2F/" which would otherwise be redirected to "/" | | `upstreams` | _[[]Upstream](#upstream)_ | Upstreams represents the configuration for the upstream servers.
Requests will be proxied to this upstream if the path matches the request path. | diff --git a/docs/docs/configuration/alpha_config.md.tmpl b/docs/docs/configuration/alpha_config.md.tmpl index 591c6a00d2..3a68ab7037 100644 --- a/docs/docs/configuration/alpha_config.md.tmpl +++ b/docs/docs/configuration/alpha_config.md.tmpl @@ -23,13 +23,13 @@ When using alpha configuration, your config file will look something like below: ```yaml upstreams: - id: ... - ... + ...: ... injectRequestHeaders: - name: ... - ... + ...: ... injectResponseHeaders: - name: ... - ... + ...: ... ``` Please browse the [reference](#configuration-reference) below for the structure diff --git a/docs/docs/configuration/auth.md b/docs/docs/configuration/auth.md deleted file mode 100644 index 36fd2ef4f3..0000000000 --- a/docs/docs/configuration/auth.md +++ /dev/null @@ -1,692 +0,0 @@ ---- -id: oauth_provider -title: OAuth Provider Configuration ---- - -You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run `oauth2-proxy` on. - -Valid providers are : - -- [Google](#google-auth-provider) _default_ -- [Azure](#azure-auth-provider) -- [ADFS](#adfs-auth-provider) -- [Facebook](#facebook-auth-provider) -- [GitHub](#github-auth-provider) -- [Gitea](#gitea-auth-provider) -- [Keycloak](#keycloak-auth-provider) -- [GitLab](#gitlab-auth-provider) -- [LinkedIn](#linkedin-auth-provider) -- [Microsoft Azure AD](#microsoft-azure-ad-provider) -- [OpenID Connect](#openid-connect-provider) -- [login.gov](#logingov-provider) -- [Nextcloud](#nextcloud-provider) -- [DigitalOcean](#digitalocean-auth-provider) -- [Bitbucket](#bitbucket-auth-provider) - -The provider can be selected using the `provider` configuration value. - -Please note that not all providers support all claims. The `preferred_username` claim is currently only supported by the OpenID Connect provider. - -### Google Auth Provider - -For Google, the registration steps are: - -1. Create a new project: https://console.developers.google.com/project -2. Choose the new project from the top right project dropdown (only if another project is selected) -3. In the project Dashboard center pane, choose **"APIs & Services"** -4. In the left Nav pane, choose **"Credentials"** -5. In the center pane, choose **"OAuth consent screen"** tab. Fill in **"Product name shown to users"** and hit save. -6. In the center pane, choose **"Credentials"** tab. - - Open the **"New credentials"** drop down - - Choose **"OAuth client ID"** - - Choose **"Web application"** - - Application name is freeform, choose something appropriate - - Authorized JavaScript origins is your domain ex: `https://internal.yourcompany.com` - - Authorized redirect URIs is the location of oauth2/callback ex: `https://internal.yourcompany.com/oauth2/callback` - - Choose **"Create"** -7. Take note of the **Client ID** and **Client Secret** - -It's recommended to refresh sessions on a short interval (1h) with `cookie-refresh` setting which validates that the account is still authorized. - -#### Restrict auth to specific Google groups on your domain. (optional) - -1. Create a [service account](https://developers.google.com/identity/protocols/OAuth2ServiceAccount) and download the json -file if you're not using [Application Default Credentials / Workload Identity / Workload Identity Federation (recommended)](#using-application-default-credentials-adc--workload-identity--workload-identity-federation-recommended). -2. Make note of the Client ID for a future step. -3. Under "APIs & Auth", choose APIs. -4. Click on Admin SDK and then Enable API. -5. Follow the steps on https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account and give the client id from step 2 the following oauth scopes: - - -##### Using Application Default Credentials (ADC) / Workload Identity / Workload Identity Federation (recommended) -oauth2-proxy can make use of [Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials). -When deployed within GCP, this means that it can automatically use the service account attached to the resource. When deployed to GKE, ADC -can be leveraged through a feature called Workload Identity. Follow Google's [guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) -to set up Workload Identity. - -When deployed outside of GCP, [Workload Identity Federation](https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif) might be an option. - -``` -https://www.googleapis.com/auth/admin.directory.group.readonly -https://www.googleapis.com/auth/admin.directory.user.readonly -``` - -6. Follow the steps on https://support.google.com/a/answer/60757 to enable Admin API access. -7. Create or choose an existing administrative email address on the Gmail domain to assign to the `google-admin-email` flag. This email will be impersonated by this client to make calls to the Admin SDK. See the note on the link from step 5 for the reason why. -8. Create or choose an existing email group and set that email to the `google-group` flag. You can pass multiple instances of this flag with different groups - and the user will be checked against all the provided groups. -9. Lock down the permissions on the json file downloaded from step 1 so only oauth2-proxy is able to read the file and set the path to the file in the `google-service-account-json` flag. -10. Restart oauth2-proxy. - -Note: The user is checked against the group members list on initial authentication and every time the token is refreshed ( about once an hour ). - -### Azure Auth Provider - -1. Add an application: go to [https://portal.azure.com](https://portal.azure.com), choose **Azure Active Directory**, select -**App registrations** and then click on **New registration**. -2. Pick a name, check the supported account type(single-tenant, multi-tenant, etc). In the **Redirect URI** section create a new -**Web** platform entry for each app that you want to protect by the oauth2 proxy(e.g. -https://internal.yourcompanycom/oauth2/callback). Click **Register**. -3. Next we need to add group read permissions for the app registration, on the **API Permissions** page of the app, click on -**Add a permission**, select **Microsoft Graph**, then select **Application permissions**, then click on **Group** and select -**Group.Read.All**. Hit **Add permissions** and then on **Grant admin consent** (you might need an admin to do this). -
**IMPORTANT**: Even if this permission is listed with **"Admin consent required=No"** the consent might actually be required, due to AAD policies you won't be able to see. If you get a **"Need admin approval"** during login, most likely this is what you're missing! -4. Next, if you are planning to use v2.0 Azure Auth endpoint, go to the **Manifest** page and set `"accessTokenAcceptedVersion": 2` -in the App registration manifest file. -5. On the **Certificates & secrets** page of the app, add a new client secret and note down the value after hitting **Add**. -6. Configure the proxy with: -- for V1 Azure Auth endpoint (Azure Active Directory Endpoints - https://login.microsoftonline.com/common/oauth2/authorize) - -``` - --provider=azure - --client-id= - --client-secret= - --azure-tenant={tenant-id} - --oidc-issuer-url=https://sts.windows.net/{tenant-id}/ -``` - -- for V2 Azure Auth endpoint (Microsoft Identity Platform Endpoints - https://login.microsoftonline.com/common/oauth2/v2.0/authorize) -``` - --provider=azure - --client-id= - --client-secret= - --azure-tenant={tenant-id} - --oidc-issuer-url=https://login.microsoftonline.com/{tenant-id}/v2.0 -``` - -***Notes***: -- When using v2.0 Azure Auth endpoint (`https://login.microsoftonline.com/{tenant-id}/v2.0`) as `--oidc_issuer_url`, in conjunction -with `--resource` flag, be sure to append `/.default` at the end of the resource name. See -https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope for more details. -- When using the Azure Auth provider with nginx and the cookie session store you may find the cookie is too large and doesn't -get passed through correctly. Increasing the proxy_buffer_size in nginx or implementing the [redis session storage](sessions.md#redis-storage) -should resolve this. - -### ADFS Auth Provider - -1. Open the ADFS administration console on your Windows Server and add a new Application Group -2. Provide a name for the integration, select Server Application from the Standalone applications section and click Next -3. Follow the wizard to get the client-id, client-secret and configure the application credentials -4. Configure the proxy with - -``` - --provider=adfs - --client-id= - --client-secret= -``` - -Note: When using the ADFS Auth provider with nginx and the cookie session store you may find the cookie is too large and doesn't get passed through correctly. Increasing the proxy_buffer_size in nginx or implementing the [redis session storage](sessions.md#redis-storage) should resolve this. - -### Facebook Auth Provider - -1. Create a new FB App from -2. Under FB Login, set your Valid OAuth redirect URIs to `https://internal.yourcompany.com/oauth2/callback` - -### GitHub Auth Provider - -1. Create a new project: https://github.com/settings/developers -2. Under `Authorization callback URL` enter the correct url ie `https://internal.yourcompany.com/oauth2/callback` - -The GitHub auth provider supports two additional ways to restrict authentication to either organization and optional team level access, or to collaborators of a repository. Restricting by these options is normally accompanied with `--email-domain=*` - -NOTE: When `--github-user` is set, the specified users are allowed to login even if they do not belong to the specified org and team or collaborators. - -To restrict by organization only, include the following flag: - - -github-org="": restrict logins to members of this organisation - -To restrict within an organization to specific teams, include the following flag in addition to `-github-org`: - - -github-team="": restrict logins to members of any of these teams (slug), separated by a comma - -If you would rather restrict access to collaborators of a repository, those users must either have push access to a public repository or any access to a private repository: - - -github-repo="": restrict logins to collaborators of this repository formatted as orgname/repo - -If you'd like to allow access to users with **read only** access to a **public** repository you will need to provide a [token](https://github.com/settings/tokens) for a user that has write access to the repository. The token must be created with at least the `public_repo` scope: - - -github-token="": the token to use when verifying repository collaborators - -To allow a user to login with their username even if they do not belong to the specified org and team or collaborators, separated by a comma - - -github-user="": allow logins by username, separated by a comma - -If you are using GitHub enterprise, make sure you set the following to the appropriate url: - - -login-url="http(s):///login/oauth/authorize" - -redeem-url="http(s):///login/oauth/access_token" - -validate-url="http(s):///api/v3" - -### Gitea Auth Provider - -1. Create a new application: `https://< your gitea host >/user/settings/applications` -2. Under `Redirect URI` enter the correct URL i.e. `https:///oauth2/callback` -3. Note the Client ID and Client Secret. -4. Pass the following options to the proxy: - -``` - --provider="github" - --redirect-url="https:///oauth2/callback" - --provider-display-name="Gitea" - --client-id="< client_id as generated by Gitea >" - --client-secret="< client_secret as generated by Gitea >" - --login-url="https://< your gitea host >/login/oauth/authorize" - --redeem-url="https://< your gitea host >/login/oauth/access_token" - --validate-url="https://< your gitea host >/api/v1/user/emails" -``` - - -### Keycloak Auth Provider - -:::note -This is the legacy provider for Keycloak, use [Keycloak OIDC Auth Provider](#keycloak-oidc-auth-provider) if possible. -::: - -1. Create new client in your Keycloak realm with **Access Type** 'confidental' and **Valid Redirect URIs** 'https://internal.yourcompany.com/oauth2/callback' -2. Take note of the Secret in the credential tab of the client -3. Create a mapper with **Mapper Type** 'Group Membership' and **Token Claim Name** 'groups'. - -Make sure you set the following to the appropriate url: - -``` - --provider=keycloak - --client-id= - --client-secret= - --login-url="http(s):///auth/realms//protocol/openid-connect/auth" - --redeem-url="http(s):///auth/realms//protocol/openid-connect/token" - --profile-url="http(s):///auth/realms//protocol/openid-connect/userinfo" - --validate-url="http(s):///auth/realms//protocol/openid-connect/userinfo" - --keycloak-group= - --keycloak-group= -``` - -For group based authorization, the optional `--keycloak-group` (legacy) or `--allowed-group` (global standard) -flags can be used to specify which groups to limit access to. - -If these are unset but a `groups` mapper is set up above in step (3), the provider will still -populate the `X-Forwarded-Groups` header to your upstream server with the `groups` data in the -Keycloak userinfo endpoint response. - -The group management in keycloak is using a tree. If you create a group named admin in keycloak -you should define the 'keycloak-group' value to /admin. - -### Keycloak OIDC Auth Provider - -``` - --provider=keycloak-oidc - --client-id= - --client-secret= - --redirect-url=https://internal.yourcompany.com/oauth2/callback - --oidc-issuer-url=https:///realms/ // For Keycloak versions <17: --oidc-issuer-url=https:///auth/realms/ - --email-domain= // Validate email domain for users, see option documentation - --allowed-role= // Optional, required realm role - --allowed-role=: // Optional, required client role - --allowed-group= // Optional, requires group client scope - --code-challenge-method=S256 // PKCE -``` - -:::note -Keycloak has updated its admin console and as of version 19.0.0, the new admin console is enabled by default. The legacy admin console has been announced for removal with the release of version 21.0.0. -::: - -**Keycloak legacy admin console** - -1. Create new client in your Keycloak realm with **Access Type** 'confidential', **Client protocol** 'openid-connect' and **Valid Redirect URIs** 'https://internal.yourcompany.com/oauth2/callback' -2. Take note of the Secret in the credential tab of the client -3. Create a mapper with **Mapper Type** 'Group Membership' and **Token Claim Name** 'groups'. -4. Create a mapper with **Mapper Type** 'Audience' and **Included Client Audience** and **Included Custom Audience** set to your client name. - -**Keycloak new admin console (default as of v19.0.0)** - -The following example shows how to create a simple OIDC client using the new Keycloak admin2 console. However, for best practices, it is recommended to consult the Keycloak documentation. - -The OIDC client must be configured with an _audience mapper_ to include the client's name in the `aud` claim of the JWT token. -The `aud` claim specifies the intended recipient of the token, and OAuth2 Proxy expects a match against the values of either `--client-id` or `--oidc-extra-audience`. - -_In Keycloak, claims are added to JWT tokens through the use of mappers at either the realm level using "client scopes" or through "dedicated" client mappers._ - -**Creating the client** - -1. Create a new OIDC client in your Keycloak realm by navigating to: - **Clients** -> **Create client** -* **Client Type** 'OpenID Connect' -* **Client ID** ``, please complete the remaining fields as appropriate and click **Next**. - * **Client authentication** 'On' - * **Authentication flow** - * **Standard flow** 'selected' - * **Direct access grants** 'deselect' - * _Save the configuration._ - * **Settings / Access settings**: - * **Valid redirect URIs** `https://internal.yourcompany.com/oauth2/callback` - * _Save the configuration._ - * Under the **Credentials** tab you will now be able to locate ``. -2. Configure a dedicated *audience mapper* for your client by navigating to **Clients** -> **** -> **Client scopes**. -* Access the dedicated mappers pane by clicking **-dedicated**, located under *Assigned client scope*. - _(It should have a description of "Dedicated scope and mappers for this client")_ - * Click **Configure a new mapper** and select **Audience** - * **Name** 'aud-mapper-' - * **Included Client Audience** select `` from the dropdown. - * _OAuth2 proxy can be set up to pass both the access and ID JWT tokens to your upstream services. - If you require additional audience entries, you can use the **Included Custom Audience** field in addition to the "Included Client Audience" dropdown. Note that the "aud" claim of a JWT token should be limited and only specify its intended recipients._ - * **Add to ID token** 'On' - * **Add to access token** 'On' - [#1916](https://github.com/oauth2-proxy/oauth2-proxy/pull/1916) - * _Save the configuration._ -* Any subsequent dedicated client mappers can be defined by clicking **Dedicated scopes** -> **Add mapper** -> **By configuration** -> *Select mapper* - -You should now be able to create a test user in Keycloak and get access to the OAuth2 Proxy instance, make sure to set an email address matching `` and select _Email verified_. - -**Authorization** - -_OAuth2 Proxy will perform authorization by requiring a valid user, this authorization can be extended to take into account a user's membership in Keycloak `groups`, `realm roles`, and `client roles` using the keycloak-oidc provider options -`--allowed-role` or `--allowed-group`_ - -**Roles** - -_A standard Keycloak installation comes with the required mappers for **realm roles** and **client roles** through the pre-defined client scope "roles". -This ensures that any roles assigned to a user are included in the `JWT` tokens when using an OIDC client that has the "Full scope allowed" feature activated, the feature is enabled by default._ - -_Creating a realm role_ -* Navigate to **Realm roles** -> **Create role** - * **Role name**, *``* -> **save** - -_Creating a client role_ -* Navigate to **Clients** -> `` -> **Roles** -> **Create role** - * **Role name**, *``* -> **save** - - -_Assign a role to a user_ - -**Users** -> _Username_ -> **Role mapping** -> **Assign role** -> _filter by roles or clients and select_ -> **Assign**. - -Keycloak "realm roles" can be authorized using the `--allowed-role=` option, while "client roles" can be evaluated using `--allowed-role=:`. - -You may limit the _realm roles_ included in the JWT tokens for any given client by navigating to: -**Clients** -> `` -> **Client scopes** -> _-dedicated_ -> **Scope** -Disabling **Full scope allowed** activates the **Assign role** option, allowing you to select which roles, if assigned to a user, will be included in the user's JWT tokens. This can be useful when a user has many associated roles, and you want to reduce the size and impact of the JWT token. - - -**Groups** - -You may also do authorization on group memberships by using the OAuth2 Proxy option `--allowed-group`. -We will only do a brief description of creating the required _client scope_ **groups** and refer you to read the Keycloak documentation. - -To summarize, the steps required to authorize Keycloak group membership with OAuth2 Proxy are as follows: - -* Create a new Client Scope with the name **groups** in Keycloak. - * Include a mapper of type **Group Membership**. - * Set the "Token Claim Name" to **groups** or customize by matching it to the `--oidc-groups-claim` option of OAuth2 Proxy. - * If the "Full group path" option is selected, you need to include a "/" separator in the group names defined in the `--allowed-group` option of OAuth2 Proxy. Example: "/groupname" or "/groupname/childgroup". - -After creating the _Client Scope_ named _groups_ you will need to attach it to your client. -**Clients** -> `` -> **Client scopes** -> **Add client scope** -> Select **groups** and choose Optional and you should now have a client that maps group memberships into the JWT tokens so that Oauth2 Proxy may evaluate them. - -Create a group by navigating to **Groups** -> **Create group** and _add_ your test user as a member. - -The OAuth2 Proxy option `--allowed-group=/groupname` will now allow you to filter on group membership - -Keycloak also has the option of attaching roles to groups, please refer to the Keycloak documentation for more information. - -**Tip** - -To check if roles or groups are added to JWT tokens, you can preview a users token in the Keycloak console by following these steps: -**Clients** -> `` -> **Client scopes** -> **Evaluate**. -Select a _realm user_ and optional _scope parameters_ such as groups, and generate the JSON representation of an access or id token to examine its contents. - - -### GitLab Auth Provider - -This auth provider has been tested against Gitlab version 12.X. Due to Gitlab API changes, it may not work for version prior to 12.X (see [994](https://github.com/oauth2-proxy/oauth2-proxy/issues/994)). - -Whether you are using GitLab.com or self-hosting GitLab, follow [these steps to add an application](https://docs.gitlab.com/ce/integration/oauth_provider.html). Make sure to enable at least the `openid`, `profile` and `email` scopes, and set the redirect url to your application url e.g. https://myapp.com/oauth2/callback. - -If you need projects filtering, add the extra `read_api` scope to your application. - -The following config should be set to ensure that the oauth will work properly. To get a cookie secret follow [these steps](./overview.md#generating-a-cookie-secret) - -``` - --provider="gitlab" - --redirect-url="https://myapp.com/oauth2/callback" // Should be the same as the redirect url for the application in gitlab - --client-id=GITLAB_CLIENT_ID - --client-secret=GITLAB_CLIENT_SECRET - --cookie-secret=COOKIE_SECRET -``` - -Restricting by group membership is possible with the following option: - - --gitlab-group="mygroup,myothergroup": restrict logins to members of any of these groups (slug), separated by a comma - -If you are using self-hosted GitLab, make sure you set the following to the appropriate URL: - - --oidc-issuer-url="" - -If your self-hosted GitLab is on a sub-directory (e.g. domain.tld/gitlab), as opposed to its own sub-domain (e.g. gitlab.domain.tld), you may need to add a redirect from domain.tld/oauth pointing at e.g. domain.tld/gitlab/oauth. - -### LinkedIn Auth Provider - -For LinkedIn, the registration steps are: - -1. Create a new project: https://www.linkedin.com/secure/developer -2. In the OAuth User Agreement section: - - In default scope, select r_basicprofile and r_emailaddress. - - In "OAuth 2.0 Redirect URLs", enter `https://internal.yourcompany.com/oauth2/callback` -3. Fill in the remaining required fields and Save. -4. Take note of the **Consumer Key / API Key** and **Consumer Secret / Secret Key** - -### Microsoft Azure AD Provider - -For adding an application to the Microsoft Azure AD follow [these steps to add an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app). - -Take note of your `TenantId` if applicable for your situation. The `TenantId` can be used to override the default `common` authorization server with a tenant specific server. - -### OpenID Connect Provider - -OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many major providers and several open source projects. - -This provider was originally built against CoreOS Dex and we will use it as an example. -The OpenID Connect Provider (OIDC) can also be used to connect to other Identity Providers such as Okta, an example can be found below. - -#### Dex - -To configure the OIDC provider for Dex, perform the following steps: - -1. Download Dex: - - ``` - go get github.com/dexidp/dex - ``` - - See the [getting started guide](https://dexidp.io/docs/getting-started/) for more details. - -2. Setup oauth2-proxy with the correct provider and using the default ports and callbacks. Add a configuration block to the `staticClients` section of `examples/config-dev.yaml`: - - ``` - - id: oauth2-proxy - redirectURIs: - - 'http://127.0.0.1:4180/oauth2/callback' - name: 'oauth2-proxy' - secret: proxy - ``` - -3. Launch Dex: from `$GOPATH/github.com/dexidp/dex`, run: - - ``` - bin/dex serve examples/config-dev.yaml - ``` - -4. In a second terminal, run the oauth2-proxy with the following args: - - ``` - -provider oidc - -provider-display-name "My OIDC Provider" - -client-id oauth2-proxy - -client-secret proxy - -redirect-url http://127.0.0.1:4180/oauth2/callback - -oidc-issuer-url http://127.0.0.1:5556/dex - -cookie-secure=false - -cookie-secret=secret - -email-domain kilgore.trout - ``` - - To serve the current working directory as a web site under the `/static` endpoint, add: - - ``` - -upstream file://$PWD/#/static/ - ``` - -5. Test the setup by visiting http://127.0.0.1:4180 or http://127.0.0.1:4180/static . - -See also [our local testing environment](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/local-environment) for a self-contained example using Docker and etcd as storage for Dex. - -#### Okta - -To configure the OIDC provider for Okta, perform the following steps: - -1. Log in to Okta using an administrative account. It is suggested you try this in preview first, `example.oktapreview.com` -2. (OPTIONAL) If you want to configure authorization scopes and claims to be passed on to multiple applications, -you may wish to configure an authorization server for each application. Otherwise, the provided `default` will work. -* Navigate to **Security** then select **API** -* Click **Add Authorization Server**, if this option is not available you may require an additional license for a custom authorization server. -* Fill out the **Name** with something to describe the application you are protecting. e.g. 'Example App'. -* For **Audience**, pick the URL of the application you wish to protect: https://example.corp.com -* Fill out a **Description** -* Add any **Access Policies** you wish to configure to limit application access. -* The default settings will work for other options. -[See Okta documentation for more information on Authorization Servers](https://developer.okta.com/docs/guides/customize-authz-server/overview/) -3. Navigate to **Applications** then select **Add Application**. -* Select **Web** for the **Platform** setting. -* Select **OpenID Connect** and click **Create** -* Pick an **Application Name** such as `Example App`. -* Set the **Login redirect URI** to `https://example.corp.com`. -* Under **General** set the **Allowed grant types** to `Authorization Code` and `Refresh Token`. -* Leave the rest as default, taking note of the `Client ID` and `Client Secret`. -* Under **Assignments** select the users or groups you wish to access your application. -4. Create a configuration file like the following: - - ``` - provider = "oidc" - redirect_url = "https://example.corp.com/oauth2/callback" - oidc_issuer_url = "https://corp.okta.com/oauth2/abCd1234" - upstreams = [ - "https://example.corp.com" - ] - email_domains = [ - "corp.com" - ] - client_id = "XXXXX" - client_secret = "YYYYY" - pass_access_token = true - cookie_secret = "ZZZZZ" - skip_provider_button = true - ``` - -The `oidc_issuer_url` is based on URL from your **Authorization Server**'s **Issuer** field in step 2, or simply https://corp.okta.com . -The `client_id` and `client_secret` are configured in the application settings. -Generate a unique `cookie_secret` to encrypt the cookie. - -Then you can start the oauth2-proxy with `./oauth2-proxy --config /etc/example.cfg` - -#### Okta - localhost - -1. Signup for developer account: https://developer.okta.com/signup/ -2. Create New `Web` Application: https://${your-okta-domain}/dev/console/apps/new -3. Example Application Settings for localhost: - * **Name:** My Web App - * **Base URIs:** http://localhost:4180/ - * **Login redirect URIs:** http://localhost:4180/oauth2/callback - * **Logout redirect URIs:** http://localhost:4180/ - * **Group assignments:** `Everyone` - * **Grant type allowed:** `Authorization Code` and `Refresh Token` -4. Make note of the `Client ID` and `Client secret`, they are needed in a future step -5. Make note of the **default** Authorization Server Issuer URI from: https://${your-okta-domain}/admin/oauth2/as -6. Example config file `/etc/localhost.cfg` - ``` - provider = "oidc" - redirect_url = "http://localhost:4180/oauth2/callback" - oidc_issuer_url = "https://${your-okta-domain}/oauth2/default" - upstreams = [ - "http://0.0.0.0:8080" - ] - email_domains = [ - "*" - ] - client_id = "XXX" - client_secret = "YYY" - pass_access_token = true - cookie_secret = "ZZZ" - cookie_secure = false - skip_provider_button = true - # Note: use the following for testing within a container - # http_address = "0.0.0.0:4180" - ``` -7. Then you can start the oauth2-proxy with `./oauth2-proxy --config /etc/localhost.cfg` - -### login.gov Provider - -login.gov is an OIDC provider for the US Government. -If you are a US Government agency, you can contact the login.gov team through the contact information -that you can find on https://login.gov/developers/ and work with them to understand how to get login.gov -accounts for integration/test and production access. - -A developer guide is available here: https://developers.login.gov/, though this proxy handles everything -but the data you need to create to register your application in the login.gov dashboard. - -As a demo, we will assume that you are running your application that you want to secure locally on -http://localhost:3000/, that you will be starting your proxy up on http://localhost:4180/, and that -you have an agency integration account for testing. - -First, register your application in the dashboard. The important bits are: - * Identity protocol: make this `Openid connect` - * Issuer: do what they say for OpenID Connect. We will refer to this string as `${LOGINGOV_ISSUER}`. - * Public key: This is a self-signed certificate in .pem format generated from a 2048 bit RSA private key. - A quick way to do this is `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650 -nodes -subj '/C=US/ST=Washington/L=DC/O=GSA/OU=18F/CN=localhost'`, - The contents of the `key.pem` shall be referred to as `${OAUTH2_PROXY_JWT_KEY}`. - * Return to App URL: Make this be `http://localhost:4180/` - * Redirect URIs: Make this be `http://localhost:4180/oauth2/callback`. - * Attribute Bundle: Make sure that email is selected. - -Now start the proxy up with the following options: -``` -./oauth2-proxy -provider login.gov \ - -client-id=${LOGINGOV_ISSUER} \ - -redirect-url=http://localhost:4180/oauth2/callback \ - -oidc-issuer-url=https://idp.int.identitysandbox.gov/ \ - -cookie-secure=false \ - -email-domain=gsa.gov \ - -upstream=http://localhost:3000/ \ - -cookie-secret=somerandomstring12341234567890AB \ - -cookie-domain=localhost \ - -skip-provider-button=true \ - -pubjwk-url=https://idp.int.identitysandbox.gov/api/openid_connect/certs \ - -profile-url=https://idp.int.identitysandbox.gov/api/openid_connect/userinfo \ - -jwt-key="${OAUTH2_PROXY_JWT_KEY}" -``` -You can also set all these options with environment variables, for use in cloud/docker environments. -One tricky thing that you may encounter is that some cloud environments will pass in environment -variables in a docker env-file, which does not allow multiline variables like a PEM file. -If you encounter this, then you can create a `jwt_signing_key.pem` file in the top level -directory of the repo which contains the key in PEM format and then do your docker build. -The docker build process will copy that file into your image which you can then access by -setting the `OAUTH2_PROXY_JWT_KEY_FILE=/etc/ssl/private/jwt_signing_key.pem` -environment variable, or by setting `--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem` on the commandline. - -Once it is running, you should be able to go to `http://localhost:4180/` in your browser, -get authenticated by the login.gov integration server, and then get proxied on to your -application running on `http://localhost:3000/`. In a real deployment, you would secure -your application with a firewall or something so that it was only accessible from the -proxy, and you would use real hostnames everywhere. - -#### Skip OIDC discovery - -Some providers do not support OIDC discovery via their issuer URL, so oauth2-proxy cannot simply grab the authorization, token and jwks URI endpoints from the provider's metadata. - -In this case, you can set the `--skip-oidc-discovery` option, and supply those required endpoints manually: - -``` - -provider oidc - -client-id oauth2-proxy - -client-secret proxy - -redirect-url http://127.0.0.1:4180/oauth2/callback - -oidc-issuer-url http://127.0.0.1:5556 - -skip-oidc-discovery - -login-url http://127.0.0.1:5556/authorize - -redeem-url http://127.0.0.1:5556/token - -oidc-jwks-url http://127.0.0.1:5556/keys - -cookie-secure=false - -email-domain example.com -``` - -### Nextcloud Provider - -The Nextcloud provider allows you to authenticate against users in your -Nextcloud instance. - -When you are using the Nextcloud provider, you must specify the urls via -configuration, environment variable, or command line argument. Depending -on whether your Nextcloud instance is using pretty urls your urls may be of the -form `/index.php/apps/oauth2/*` or `/apps/oauth2/*`. - -Refer to the [OAuth2 -documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/oauth2.html) -to setup the client id and client secret. Your "Redirection URI" will be -`https://internalapp.yourcompany.com/oauth2/callback`. - -``` - -provider nextcloud - -client-id - -client-secret - -login-url="/index.php/apps/oauth2/authorize" - -redeem-url="/index.php/apps/oauth2/api/v1/token" - -validate-url="/ocs/v2.php/cloud/user?format=json" -``` - -Note: in *all* cases the validate-url will *not* have the `index.php`. - -### DigitalOcean Auth Provider - -1. [Create a new OAuth application](https://cloud.digitalocean.com/account/api/applications) - * You can fill in the name, homepage, and description however you wish. - * In the "Application callback URL" field, enter: `https://oauth-proxy/oauth2/callback`, substituting `oauth2-proxy` with the actual hostname that oauth2-proxy is running on. The URL must match oauth2-proxy's configured redirect URL. -2. Note the Client ID and Client Secret. - -To use the provider, pass the following options: - -``` - --provider=digitalocean - --client-id= - --client-secret= -``` - - Alternatively, set the equivalent options in the config file. The redirect URL defaults to `https:///oauth2/callback`. If you need to change it, you can use the `--redirect-url` command-line option. - -### Bitbucket Auth Provider - -1. [Add a new OAuth consumer](https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html) - * In "Callback URL" use `https:///oauth2/callback`, substituting `` with the actual hostname that oauth2-proxy is running on. - * In Permissions section select: - * Account -> Email - * Team membership -> Read - * Repositories -> Read -2. Note the Client ID and Client Secret. - -To use the provider, pass the following options: - -``` - --provider=bitbucket - --client-id= - --client-secret= -``` - -The default configuration allows everyone with Bitbucket account to authenticate. To restrict the access to the team members use additional configuration option: `--bitbucket-team=`. To restrict the access to only these users who has access to one selected repository use `--bitbucket-repository=`. - - - -## Email Authentication - -To authorize by email domain use `--email-domain=yourcompany.com`. To authorize individual email addresses use `--authenticated-emails-file=/path/to/file` with one email per line. To authorize all email addresses use `--email-domain=*`. - -## Adding a new Provider - -Follow the examples in the [`providers` package](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/) to define a new -`Provider` instance. Add a new `case` to -[`providers.New()`](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go) to allow `oauth2-proxy` to use the -new `Provider`. diff --git a/docs/docs/configuration/overview.md b/docs/docs/configuration/overview.md index e5613c6115..e451c485e7 100644 --- a/docs/docs/configuration/overview.md +++ b/docs/docs/configuration/overview.md @@ -12,48 +12,40 @@ To generate a strong cookie secret use one of the below commands: import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; - - + + ```shell python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())' ``` - + - + ```shell - dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\n' | tr -- '+/' '-_'; echo + dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\n' | tr -- '+/' '-_' ; echo ``` - + - + ```shell openssl rand -base64 32 | tr -- '+/' '-_' ``` - + - ```shell + ```powershell # Add System.Web assembly to session, just in case Add-Type -AssemblyName System.Web [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([System.Web.Security.Membership]::GeneratePassword(32,4))).Replace("+","-").Replace("/","_") ``` - + - ```shell + ```hcl # Valid 32 Byte Base64 URL encoding set that will decode to 24 []byte AES-192 secret resource "random_password" "cookie_secret" { length = 32 @@ -72,36 +64,36 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/ ### Command Line Options -| Option | Type | Description | Default | -| ------ | ---- | ----------- |------------------------------------------------------------------| -| `--acr-values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` | -| `--api-route` | string \| list | return HTTP 401 instead of redirecting to authentication server if token is not valid. Format: path_regex | | -| `--approval-prompt` | string | OAuth approval_prompt | `"force"` | -| `--auth-logging` | bool | Log authentication attempts | true | -| `--auth-logging-format` | string | Template for authentication log lines | see [Logging Configuration](#logging-configuration) | -| `--authenticated-emails-file` | string | authenticate against emails via file (one per line) | | -| `--azure-tenant` | string | go to a tenant-specific or common (tenant-independent) endpoint. | `"common"` | -| `--basic-auth-password` | string | the password to set when passing the HTTP Basic Auth header | | -| `--client-id` | string | the OAuth Client ID, e.g. `"123456.apps.googleusercontent.com"` | | -| `--client-secret` | string | the OAuth Client Secret | | -| `--client-secret-file` | string | the file with OAuth Client Secret | | -| `--code-challenge-method` | string | use PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended) | | -| `--config` | string | path to config file | | -| `--cookie-domain` | string \| list | Optional cookie domains to force cookies to (e.g. `.yourcompany.com`). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match). | | -| `--cookie-expire` | duration | expire timeframe for cookie. If set to 0, cookie becomes a session-cookie which will expire when the browser is closed. | 168h0m0s | -| `--cookie-httponly` | bool | set HttpOnly cookie flag | true | -| `--cookie-name` | string | the name of the cookie that the oauth_proxy creates. Should be changed to use a [cookie prefix](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes) (`__Host-` or `__Secure-`) if `--cookie-secure` is set. | `"_oauth2_proxy"` | -| `--cookie-path` | string | an optional cookie path to force cookies to (e.g. `/poc/`) | `"/"` | -| `--cookie-refresh` | duration | refresh the cookie after this duration; `0` to disable; not supported by all providers \[[1](#footnote1)\] | | -| `--cookie-secret` | string | the seed string for secure cookies (optionally base64 encoded) | | -| `--cookie-secure` | bool | set [secure (HTTPS only) cookie flag](https://owasp.org/www-community/controls/SecureFlag) | true | -| `--cookie-samesite` | string | set SameSite cookie attribute (`"lax"`, `"strict"`, `"none"`, or `""`). | `""` | -| `--cookie-csrf-per-request` | bool | Enable having different CSRF cookies per request, making it possible to have parallel requests. | false | -| `--cookie-csrf-expire` | duration | expire timeframe for CSRF cookie | 15m | -| `--custom-templates-dir` | string | path to custom html templates | | +| Option | Type | Description | Default | +| ------ | ---- | ----------- | ------- | +| `--acr-values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` | +| `--api-route` | string \| list | return HTTP 401 instead of redirecting to authentication server if token is not valid. Format: path_regex | | +| `--approval-prompt` | string | OAuth approval_prompt | `"force"` | +| `--auth-logging` | bool | Log authentication attempts | true | +| `--auth-logging-format` | string | Template for authentication log lines | see [Logging Configuration](#logging-configuration) | +| `--authenticated-emails-file` | string | authenticate against emails via file (one per line) | | +| `--azure-tenant` | string | go to a tenant-specific or common (tenant-independent) endpoint. | `"common"` | +| `--basic-auth-password` | string | the password to set when passing the HTTP Basic Auth header | | +| `--client-id` | string | the OAuth Client ID, e.g. `"123456.apps.googleusercontent.com"` | | +| `--client-secret` | string | the OAuth Client Secret | | +| `--client-secret-file` | string | the file with OAuth Client Secret | | +| `--code-challenge-method` | string | use PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended) | | +| `--config` | string | path to config file | | +| `--cookie-domain` | string \| list | Optional cookie domains to force cookies to (e.g. `.yourcompany.com`). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match). | | +| `--cookie-expire` | duration | expire timeframe for cookie. If set to 0, cookie becomes a session-cookie which will expire when the browser is closed. | 168h0m0s | +| `--cookie-httponly` | bool | set HttpOnly cookie flag | true | +| `--cookie-name` | string | the name of the cookie that the oauth_proxy creates. Should be changed to use a [cookie prefix](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes) (`__Host-` or `__Secure-`) if `--cookie-secure` is set. | `"_oauth2_proxy"` | +| `--cookie-path` | string | an optional cookie path to force cookies to (e.g. `/poc/`) | `"/"` | +| `--cookie-refresh` | duration | refresh the cookie after this duration; `0` to disable; not supported by all providers \[[1](#footnote1)\] | | +| `--cookie-secret` | string | the seed string for secure cookies (optionally base64 encoded) | | +| `--cookie-secure` | bool | set [secure (HTTPS only) cookie flag](https://owasp.org/www-community/controls/SecureFlag) | true | +| `--cookie-samesite` | string | set SameSite cookie attribute (`"lax"`, `"strict"`, `"none"`, or `""`). | `""` | +| `--cookie-csrf-per-request` | bool | Enable having different CSRF cookies per request, making it possible to have parallel requests. | false | +| `--cookie-csrf-expire` | duration | expire timeframe for CSRF cookie | 15m | +| `--custom-templates-dir` | string | path to custom html templates | | | `--custom-sign-in-logo` | string | path or a URL to an custom image for the sign_in page logo. Use `"-"` to disable default logo. | | `--display-htpasswd-form` | bool | display username / password login form if an htpasswd file is provided | true | -| `--email-domain` | string \| list | authenticate emails with the specified domain (may be given multiple times). Use `*` to authenticate any email | | +| `--email-domain` | string \| list | authenticate emails with the specified domain (may be given multiple times). Use `*` to authenticate any email | | | `--errors-to-info-log` | bool | redirects error-level logging to default log channel instead of stderr | false | | `--extra-jwt-issuers` | string | if `--skip-jwt-bearer-tokens` is set, a list of extra JWT `issuer=audience` (see a token's `iss`, `aud` fields) pairs (where the issuer URL has a `.well-known/openid-configuration` or a `.well-known/jwks.json`) | | | `--exclude-logging-path` | string | comma separated list of paths to exclude from logging, e.g. `"/ping,/path2"` |`""` (no paths excluded) | @@ -121,7 +113,7 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/ | `--google-group` | string | restrict logins to members of this google group (may be given multiple times). | | | `--google-service-account-json` | string | the path to the service account json credentials | | | `--google-use-application-default-credentials` | bool | use application default credentials instead of service account json (i.e. GKE Workload Identity) | | -| `--google-target-principal` | bool | the targetprincipal to impersonate when using ADC | defaults to the service account configured for ADC | +| `--google-target-principal` | bool | the target principal to impersonate when using ADC | defaults to the service account configured for ADC | | `--htpasswd-file` | string | additionally authenticate against a htpasswd file. Entries must be created with `htpasswd -B` for bcrypt encryption | | | `--htpasswd-user-group` | string \| list | the groups to be set on sessions for htpasswd users | | | `--http-address` | string | `[http://]:` or `unix://` to listen on for HTTP clients. Square brackets are required for ipv6 address, e.g. `http://[::1]:4180` | `"127.0.0.1:4180"` | @@ -130,7 +122,7 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/ | `--logging-filename` | string | File to log requests to, empty for `stdout` | `""` (stdout) | | `--logging-local-time` | bool | Use local time in log files and backup filenames instead of UTC | true (local time) | | `--logging-max-age` | int | Maximum number of days to retain old log files | 7 | -| `--logging-max-backups` | int | Maximum number of old log files to retain; 0 to disable | 0 | +| `--logging-max-backups` | int | Maximum number of old log files to retain; 0 to disable | 0 | | `--logging-max-size` | int | Maximum size in megabytes of the log file before rotation | 100 | | `--jwt-key` | string | private key in PEM format used to sign JWT, so that you can say something like `--jwt-key="${OAUTH2_PROXY_JWT_KEY}"`: required by login.gov | | | `--jwt-key-file` | string | path to the private key file in PEM format used to sign the JWT so that you can say something like `--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem`: required by login.gov | | @@ -153,71 +145,70 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/ | `--profile-url` | string | Profile access endpoint | | | `--prompt` | string | [OIDC prompt](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest); if present, `approval-prompt` is ignored | `""` | | `--provider` | string | OAuth provider | google | -| `--provider-ca-file` | string \| list | Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead. | +| `--provider-ca-file` | string \| list | Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead. | | `--use-system-trust-store` | bool | Determines if `provider-ca-file` files and the system trust store are used. If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. | false | -| `--provider-display-name` | string | Override the provider's name with the given string; used for the sign-in page | (depends on provider) | -| `--ping-path` | string | the ping endpoint that can be used for basic health checks | `"/ping"` | -| `--ping-user-agent` | string | a User-Agent that can be used for basic health checks | `""` (don't check user agent) | -| `--ready-path` | string | the ready endpoint that can be used for deep health checks | `"/ready"` | -| `--metrics-address` | string | the address prometheus metrics will be scraped from | `""` | -| `--proxy-prefix` | string | the url root path that this proxy should be nested under (e.g. /`/sign_in`) | `"/oauth2"` | -| `--proxy-websockets` | bool | enables WebSocket proxying | true | -| `--pubjwk-url` | string | JWK pubkey access endpoint: required by login.gov | | -| `--real-client-ip-header` | string | Header used to determine the real IP of the client, requires `--reverse-proxy` to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP) | X-Real-IP | -| `--redeem-url` | string | Token redemption endpoint | | -| `--redirect-url` | string | the OAuth Redirect URL, e.g. `"https://internalapp.yourcompany.com/oauth2/callback"` | | -| `--relative-redirect-url` | bool | allow relative OAuth Redirect URL.` | | -| `--redis-cluster-connection-urls` | string \| list | List of Redis cluster connection URLs (e.g. `redis://HOST[:PORT]`). Used in conjunction with `--redis-use-cluster` | | -| `--redis-connection-url` | string | URL of redis server for redis session storage (e.g. `redis://HOST[:PORT]`) | | -| `--redis-insecure-skip-tls-verify` | bool | skip TLS verification when connecting to Redis | false | -| `--redis-password` | string | Redis password. Applicable for all Redis configurations. Will override any password set in `--redis-connection-url` | | -| `--redis-sentinel-password` | string | Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `--redis-password` | | -| `--redis-sentinel-master-name` | string | Redis sentinel master name. Used in conjunction with `--redis-use-sentinel` | | -| `--redis-sentinel-connection-urls` | string \| list | List of Redis sentinel connection URLs (e.g. `redis://HOST[:PORT]`). Used in conjunction with `--redis-use-sentinel` | | -| `--redis-use-cluster` | bool | Connect to redis cluster. Must set `--redis-cluster-connection-urls` to use this feature | false | -| `--redis-use-sentinel` | bool | Connect to redis via sentinels. Must set `--redis-sentinel-master-name` and `--redis-sentinel-connection-urls` to use this feature | false | -| `--redis-connection-idle-timeout` | int | Redis connection idle timeout seconds. If Redis [timeout](https://redis.io/docs/reference/clients/#client-timeouts) option is set to non-zero, the `--redis-connection-idle-timeout` must be less than Redis timeout option. Exmpale: if either redis.conf includes `timeout 15` or using `CONFIG SET timeout 15` the `--redis-connection-idle-timeout` must be at least `--redis-connection-idle-timeout=14` | 0 | -| `--request-id-header` | string | Request header to use as the request ID in logging | X-Request-Id | -| `--request-logging` | bool | Log requests | true | -| `--request-logging-format` | string | Template for request log lines | see [Logging Configuration](#logging-configuration) | -| `--resource` | string | The resource that is protected (Azure AD only) | | -| `--reverse-proxy` | bool | are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection | false | -| `--scope` | string | OAuth scope specification | | -| `--session-cookie-minimal` | bool | strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only) | false | -| `--session-store-type` | string | [Session data storage backend](sessions.md); redis or cookie | cookie | -| `--set-xauthrequest` | bool | set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with `--pass-access-token`, X-Auth-Request-Access-Token is added to response headers. | false | -| `--set-authorization-header` | bool | set Authorization Bearer response header (useful in Nginx auth_request mode) | false | -| `--set-basic-auth` | bool | set HTTP Basic Auth information in response (useful in Nginx auth_request mode) | false | -| `--show-debug-on-error` | bool | show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production) | false | -| `--signature-key` | string | GAP-Signature request signature key (algorithm:secretkey) | | -| `--silence-ping-logging` | bool | disable logging of requests to ping & ready endpoints | false | -| `--skip-auth-preflight` | bool | will skip authentication for OPTIONS requests | false | -| `--skip-auth-regex` | string \| list | (DEPRECATED for `--skip-auth-route`) bypass authentication for requests paths that match (may be given multiple times) | | -| `--skip-auth-route` | string \| list | bypass authentication for requests that match the method & path. Format: method=path_regex OR method!=path_regex. For all methods: path_regex OR !=path_regex | | -| `--skip-auth-strip-headers` | bool | strips `X-Forwarded-*` style authentication headers & `Authorization` header if they would be set by oauth2-proxy | true | -| `--skip-jwt-bearer-tokens` | bool | will skip requests that have verified JWT bearer tokens (the token must have [`aud`](https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields) that matches this client id or one of the extras from `extra-jwt-issuers`) | false | -| `--skip-oidc-discovery` | bool | bypass OIDC endpoint discovery. `--login-url`, `--redeem-url` and `--oidc-jwks-url` must be configured in this case | false | -| `--skip-provider-button` | bool | will skip sign-in-page to directly reach the next step: oauth/start | false | -| `--ssl-insecure-skip-verify` | bool | skip validation of certificates presented when using HTTPS providers | false | -| `--ssl-upstream-insecure-skip-verify` | bool | skip validation of certificates presented when using HTTPS upstreams | false | -| `--standard-logging` | bool | Log standard runtime information | true | -| `--standard-logging-format` | string | Template for standard log lines | see [Logging Configuration](#logging-configuration) | -| `--tls-cert-file` | string | path to certificate file | | -| `--tls-cipher-suite` | string \| list | Restricts TLS cipher suites used by server to those listed (e.g. TLS_RSA_WITH_RC4_128_SHA) (may be given multiple times). If not specified, the default Go safe cipher list is used. List of valid cipher suites can be found in the [crypto/tls documentation](https://pkg.go.dev/crypto/tls#pkg-constants). | | -| `--tls-key-file` | string | path to private key file | | -| `--tls-min-version` | string | minimum TLS version that is acceptable, either `"TLS1.2"` or `"TLS1.3"` | `"TLS1.2"` | -| `--upstream` | string \| list | the http url(s) of the upstream endpoint, file:// paths for static files or `static://` for static response. Routing is based on the path | | -| `--upstream-timeout` | duration | maximum amount of time the server will wait for a response from the upstream | 30s | -| `--allowed-group` | string \| list | restrict logins to members of this group (may be given multiple times) | | -| `--allowed-role` | string \| list | restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider. | | -| `--validate-url` | string | Access token validation endpoint | | -| `--version` | n/a | print version string | | -| `--whitelist-domain` | string \| list | allowed domains for redirection after authentication. Prefix domain with a `.` or a `*.` to allow subdomains (e.g. `.example.com`, `*.example.com`) \[[2](#footnote2)\] | | -| `--trusted-ip` | string \| list | list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with `--reverse-proxy` and optionally `--real-client-ip-header` this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them. | | - -\[1\]: Only these providers support `--cookie-refresh`: GitLab, Google and OIDC - -\[2\]: When using the `whitelist-domain` option, any domain prefixed with a `.` or a `*.` will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: `example.com:8080`. To allow any port, use `*`: `example.com:*`. +| `--provider-display-name` | string | Override the provider's name with the given string; used for the sign-in page | (depends on provider) | +| `--ping-path` | string | the ping endpoint that can be used for basic health checks | `"/ping"` | +| `--ping-user-agent` | string | a User-Agent that can be used for basic health checks | `""` (don't check user agent) | +| `--ready-path` | string | the ready endpoint that can be used for deep health checks | `"/ready"` | +| `--metrics-address` | string | the address prometheus metrics will be scraped from | `""` | +| `--proxy-prefix` | string | the url root path that this proxy should be nested under (e.g. /`/sign_in`) | `"/oauth2"` | +| `--proxy-websockets` | bool | enables WebSocket proxying | true | +| `--pubjwk-url` | string | JWK pubkey access endpoint: required by login.gov | | +| `--real-client-ip-header` | string | Header used to determine the real IP of the client, requires `--reverse-proxy` to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP) | X-Real-IP | +| `--redeem-url` | string | Token redemption endpoint | | +| `--redirect-url` | string | the OAuth Redirect URL, e.g. `"https://internalapp.yourcompany.com/oauth2/callback"` | | +| `--relative-redirect-url` | bool | allow relative OAuth Redirect URL.` | | +| `--redis-cluster-connection-urls` | string \| list | List of Redis cluster connection URLs (e.g. `redis://HOST[:PORT]`). Used in conjunction with `--redis-use-cluster` | | +| `--redis-connection-url` | string | URL of redis server for redis session storage (e.g. `redis://HOST[:PORT]`) | | +| `--redis-insecure-skip-tls-verify` | bool | skip TLS verification when connecting to Redis | false | +| `--redis-password` | string | Redis password. Applicable for all Redis configurations. Will override any password set in `--redis-connection-url` | | +| `--redis-sentinel-password` | string | Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `--redis-password` | | +| `--redis-sentinel-master-name` | string | Redis sentinel master name. Used in conjunction with `--redis-use-sentinel` | | +| `--redis-sentinel-connection-urls` | string \| list | List of Redis sentinel connection URLs (e.g. `redis://HOST[:PORT]`). Used in conjunction with `--redis-use-sentinel` | | +| `--redis-use-cluster` | bool | Connect to redis cluster. Must set `--redis-cluster-connection-urls` to use this feature | false | +| `--redis-use-sentinel` | bool | Connect to redis via sentinels. Must set `--redis-sentinel-master-name` and `--redis-sentinel-connection-urls` to use this feature | false | +| `--redis-connection-idle-timeout` | int | Redis connection idle timeout seconds. If Redis [timeout](https://redis.io/docs/reference/clients/#client-timeouts) option is set to non-zero, the `--redis-connection-idle-timeout` must be less than Redis timeout option. Example: if either redis.conf includes `timeout 15` or using `CONFIG SET timeout 15` the `--redis-connection-idle-timeout` must be at least `--redis-connection-idle-timeout=14` | 0 | +| `--request-id-header` | string | Request header to use as the request ID in logging | X-Request-Id | +| `--request-logging` | bool | Log requests | true | +| `--request-logging-format` | string | Template for request log lines | see [Logging Configuration](#logging-configuration) | +| `--resource` | string | The resource that is protected (Azure AD only) | | +| `--reverse-proxy` | bool | are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection | false | +| `--scope` | string | OAuth scope specification | | +| `--session-cookie-minimal` | bool | strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only) | false | +| `--session-store-type` | string | [Session data storage backend](sessions.md); redis or cookie | cookie | +| `--set-xauthrequest` | bool | set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with `--pass-access-token`, X-Auth-Request-Access-Token is added to response headers. | false | +| `--set-authorization-header` | bool | set Authorization Bearer response header (useful in Nginx auth_request mode) | false | +| `--set-basic-auth` | bool | set HTTP Basic Auth information in response (useful in Nginx auth_request mode) | false | +| `--show-debug-on-error` | bool | show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production) | false | +| `--signature-key` | string | GAP-Signature request signature key (algorithm:secretkey) | | +| `--silence-ping-logging` | bool | disable logging of requests to ping & ready endpoints | false | +| `--skip-auth-preflight` | bool | will skip authentication for OPTIONS requests | false | +| `--skip-auth-regex` | string \| list | (DEPRECATED for `--skip-auth-route`) bypass authentication for requests paths that match (may be given multiple times) | | +| `--skip-auth-route` | string \| list | bypass authentication for requests that match the method & path. Format: method=path_regex OR method!=path_regex. For all methods: path_regex OR !=path_regex | | +| `--skip-auth-strip-headers` | bool | strips `X-Forwarded-*` style authentication headers & `Authorization` header if they would be set by oauth2-proxy | true | +| `--skip-jwt-bearer-tokens` | bool | will skip requests that have verified JWT bearer tokens (the token must have [`aud`](https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields) that matches this client id or one of the extras from `extra-jwt-issuers`) | false | +| `--skip-oidc-discovery` | bool | bypass OIDC endpoint discovery. `--login-url`, `--redeem-url` and `--oidc-jwks-url` must be configured in this case | false | +| `--skip-provider-button` | bool | will skip sign-in-page to directly reach the next step: oauth/start | false | +| `--ssl-insecure-skip-verify` | bool | skip validation of certificates presented when using HTTPS providers | false | +| `--ssl-upstream-insecure-skip-verify` | bool | skip validation of certificates presented when using HTTPS upstreams | false | +| `--standard-logging` | bool | Log standard runtime information | true | +| `--standard-logging-format` | string | Template for standard log lines | see [Logging Configuration](#logging-configuration) | +| `--tls-cert-file` | string | path to certificate file | | +| `--tls-cipher-suite` | string \| list | Restricts TLS cipher suites used by server to those listed (e.g. TLS_RSA_WITH_RC4_128_SHA) (may be given multiple times). If not specified, the default Go safe cipher list is used. List of valid cipher suites can be found in the [crypto/tls documentation](https://pkg.go.dev/crypto/tls#pkg-constants). | | +| `--tls-key-file` | string | path to private key file | | +| `--tls-min-version` | string | minimum TLS version that is acceptable, either `"TLS1.2"` or `"TLS1.3"` | `"TLS1.2"` | +| `--upstream` | string \| list | the http url(s) of the upstream endpoint, file:// paths for static files or `static://` for static response. Routing is based on the path | | +| `--upstream-timeout` | duration | maximum amount of time the server will wait for a response from the upstream | 30s | +| `--allowed-group` | string \| list | restrict logins to members of this group (may be given multiple times) | | +| `--allowed-role` | string \| list | restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider. | | +| `--validate-url` | string | Access token validation endpoint | | +| `--version` | n/a | print version string | | +| `--whitelist-domain` | string \| list | allowed domains for redirection after authentication. Prefix domain with a `.` or a `*.` to allow subdomains (e.g. `.example.com`, `*.example.com`) \[[2](#footnote2)\] | | +| `--trusted-ip` | string \| list | list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with `--reverse-proxy` and optionally `--real-client-ip-header` this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them. | | + +> ###### 1. Only these providers support `--cookie-refresh`: GitLab, Google and OIDC {#footnote1} +> ###### 2. When using the `whitelist-domain` option, any domain prefixed with a `.` or a `*.` will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URLs protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: `example.com:8080`. To allow any port, use `*`: `example.com:*`. {#footnote2} See below for provider specific options @@ -240,7 +231,7 @@ prefixing it with `OAUTH2_PROXY_`, capitalising it, and replacing hyphens (`-`) with underscores (`_`). If the argument can be specified multiple times, the environment variable should be plural (trailing `S`). -This is particularly useful for storing secrets outside of a configuration file +This is particularly useful for storing secrets outside a configuration file or the command line. For example, the `--cookie-secret` flag becomes `OAUTH2_PROXY_COOKIE_SECRET`, @@ -254,7 +245,7 @@ If logging to a file you can also configure the maximum file size (`--logging-ma There are three different types of logging: standard, authentication, and HTTP requests. These can each be enabled or disabled with `--standard-logging`, `--auth-logging`, and `--request-logging`. -Each type of logging has its own configurable format and variables. By default these formats are similar to the Apache Combined Log. +Each type of logging has its own configurable format and variables. By default, these formats are similar to the Apache Combined Log. Logging of requests to the `/ping` endpoint (or using `--ping-user-agent`) and the `/ready` endpoint can be disabled with `--silence-ping-logging` reducing log volume. diff --git a/docs/docs/configuration/providers/adfs.md b/docs/docs/configuration/providers/adfs.md new file mode 100644 index 0000000000..ec8d72d2af --- /dev/null +++ b/docs/docs/configuration/providers/adfs.md @@ -0,0 +1,19 @@ +--- +id: adfs +title: ADFS +--- + +1. Open the ADFS administration console on your Windows Server and add a new Application Group +2. Provide a name for the integration, select Server Application from the Standalone applications section and click Next +3. Follow the wizard to get the client-id, client-secret and configure the application credentials +4. Configure the proxy with + +``` + --provider=adfs + --client-id= + --client-secret= +``` + +Note: When using the ADFS Auth provider with nginx and the cookie session store you may find the cookie is too large and +doesn't get passed through correctly. Increasing the proxy_buffer_size in nginx or implementing the +[redis session storage](../sessions.md#redis-storage) should resolve this. diff --git a/docs/docs/configuration/providers/azure.md b/docs/docs/configuration/providers/azure.md new file mode 100644 index 0000000000..a8b0dcd82d --- /dev/null +++ b/docs/docs/configuration/providers/azure.md @@ -0,0 +1,46 @@ +--- +id: azure +title: Azure +--- + +1. Add an application: go to [https://portal.azure.com](https://portal.azure.com), choose **Azure Active Directory**, select + **App registrations** and then click on **New registration**. +2. Pick a name, check the supported account type(single-tenant, multi-tenant, etc). In the **Redirect URI** section create a new + **Web** platform entry for each app that you want to protect by the oauth2 proxy(e.g. + https://internal.yourcompanycom/oauth2/callback). Click **Register**. +3. Next we need to add group read permissions for the app registration, on the **API Permissions** page of the app, click on + **Add a permission**, select **Microsoft Graph**, then select **Application permissions**, then click on **Group** and select + **Group.Read.All**. Hit **Add permissions** and then on **Grant admin consent** (you might need an admin to do this). +
**IMPORTANT**: Even if this permission is listed with **"Admin consent required=No"** the consent might actually + be required, due to AAD policies you won't be able to see. If you get a **"Need admin approval"** during login, + most likely this is what you're missing! +4. Next, if you are planning to use v2.0 Azure Auth endpoint, go to the **Manifest** page and set `"accessTokenAcceptedVersion": 2` + in the App registration manifest file. +5. On the **Certificates & secrets** page of the app, add a new client secret and note down the value after hitting **Add**. +6. Configure the proxy with: +- for V1 Azure Auth endpoint (Azure Active Directory Endpoints - https://login.microsoftonline.com/common/oauth2/authorize) + +``` + --provider=azure + --client-id= + --client-secret= + --azure-tenant={tenant-id} + --oidc-issuer-url=https://sts.windows.net/{tenant-id}/ +``` + +- for V2 Azure Auth endpoint (Microsoft Identity Platform Endpoints - https://login.microsoftonline.com/common/oauth2/v2.0/authorize) +``` + --provider=azure + --client-id= + --client-secret= + --azure-tenant={tenant-id} + --oidc-issuer-url=https://login.microsoftonline.com/{tenant-id}/v2.0 +``` + +***Notes***: +- When using v2.0 Azure Auth endpoint (`https://login.microsoftonline.com/{tenant-id}/v2.0`) as `--oidc_issuer_url`, in conjunction + with `--resource` flag, be sure to append `/.default` at the end of the resource name. See + https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope for more details. +- When using the Azure Auth provider with nginx and the cookie session store you may find the cookie is too large and doesn't + get passed through correctly. Increasing the proxy_buffer_size in nginx or implementing the + [redis session storage](../sessions.md#redis-storage) should resolve this. diff --git a/docs/docs/configuration/providers/azure_ad.md b/docs/docs/configuration/providers/azure_ad.md new file mode 100644 index 0000000000..81fb478c77 --- /dev/null +++ b/docs/docs/configuration/providers/azure_ad.md @@ -0,0 +1,9 @@ +--- +id: azure_ad +title: Microsoft Azure AD +--- + +For adding an application to the Microsoft Azure AD follow [these steps to add an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app). + +Take note of your `TenantId` if applicable for your situation. The `TenantId` can be used to override the default +`common` authorization server with a tenant specific server. diff --git a/docs/docs/configuration/providers/bitbucket.md b/docs/docs/configuration/providers/bitbucket.md new file mode 100644 index 0000000000..e31de7526c --- /dev/null +++ b/docs/docs/configuration/providers/bitbucket.md @@ -0,0 +1,25 @@ +--- +id: bitbucket +title: BitBucket +--- + +1. [Add a new OAuth consumer](https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html) + * In "Callback URL" use `https:///oauth2/callback`, substituting `` with the actual + hostname that oauth2-proxy is running on. + * In Permissions section select: + * Account -> Email + * Team membership -> Read + * Repositories -> Read +2. Note the Client ID and Client Secret. + +To use the provider, pass the following options: + +``` + --provider=bitbucket + --client-id= + --client-secret= +``` + +The default configuration allows everyone with Bitbucket account to authenticate. To restrict the access to the team +members use additional configuration option: `--bitbucket-team=`. To restrict the access to only these users +who have access to one selected repository use `--bitbucket-repository=`. diff --git a/docs/docs/configuration/providers/digitalocean.md b/docs/docs/configuration/providers/digitalocean.md new file mode 100644 index 0000000000..f6a1e89181 --- /dev/null +++ b/docs/docs/configuration/providers/digitalocean.md @@ -0,0 +1,21 @@ +--- +id: digitalocean +title: DigitalOcean +--- + +1. [Create a new OAuth application](https://cloud.digitalocean.com/account/api/applications) + * You can fill in the name, homepage, and description however you wish. + * In the "Application callback URL" field, enter: `https://oauth-proxy/oauth2/callback`, substituting `oauth2-proxy` + with the actual hostname that oauth2-proxy is running on. The URL must match oauth2-proxy's configured redirect URL. +2. Note the Client ID and Client Secret. + +To use the provider, pass the following options: + +``` + --provider=digitalocean + --client-id= + --client-secret= +``` + +Alternatively, set the equivalent options in the config file. The redirect URL defaults to +`https:///oauth2/callback`. If you need to change it, you can use the `--redirect-url` command-line option. diff --git a/docs/docs/configuration/providers/facebook.md b/docs/docs/configuration/providers/facebook.md new file mode 100644 index 0000000000..023f543bf0 --- /dev/null +++ b/docs/docs/configuration/providers/facebook.md @@ -0,0 +1,7 @@ +--- +id: facebook +title: Facebook +--- + +1. Create a new FB App from +2. Under FB Login, set your Valid OAuth redirect URIs to `https://internal.yourcompany.com/oauth2/callback` diff --git a/docs/docs/configuration/providers/gitea.md b/docs/docs/configuration/providers/gitea.md new file mode 100644 index 0000000000..5799db446a --- /dev/null +++ b/docs/docs/configuration/providers/gitea.md @@ -0,0 +1,20 @@ +--- +id: gitea +title: Gitea +--- + +1. Create a new application: `https://< your gitea host >/user/settings/applications` +2. Under `Redirect URI` enter the correct URL i.e. `https:///oauth2/callback` +3. Note the Client ID and Client Secret. +4. Pass the following options to the proxy: + +``` + --provider="github" + --redirect-url="https:///oauth2/callback" + --provider-display-name="Gitea" + --client-id="< client_id as generated by Gitea >" + --client-secret="< client_secret as generated by Gitea >" + --login-url="https://< your gitea host >/login/oauth/authorize" + --redeem-url="https://< your gitea host >/login/oauth/access_token" + --validate-url="https://< your gitea host >/api/v1/user/emails" +``` diff --git a/docs/docs/configuration/providers/github.md b/docs/docs/configuration/providers/github.md new file mode 100644 index 0000000000..c16e960548 --- /dev/null +++ b/docs/docs/configuration/providers/github.md @@ -0,0 +1,43 @@ +--- +id: github +title: GitHub +--- + +1. Create a new project: https://github.com/settings/developers +2. Under `Authorization callback URL` enter the correct url ie `https://internal.yourcompany.com/oauth2/callback` + +The GitHub auth provider supports two additional ways to restrict authentication to either organization and optional +team level access, or to collaborators of a repository. Restricting by these options is normally accompanied with `--email-domain=*` + +NOTE: When `--github-user` is set, the specified users are allowed to log in even if they do not belong to the specified +org and team or collaborators. + +To restrict by organization only, include the following flag: + + -github-org="": restrict logins to members of this organisation + +To restrict within an organization to specific teams, include the following flag in addition to `-github-org`: + + -github-team="": restrict logins to members of any of these teams (slug), separated by a comma + +If you would rather restrict access to collaborators of a repository, those users must either have push access to a +public repository or any access to a private repository: + + -github-repo="": restrict logins to collaborators of this repository formatted as orgname/repo + +If you'd like to allow access to users with **read only** access to a **public** repository you will need to provide a +[token](https://github.com/settings/tokens) for a user that has write access to the repository. The token must be +created with at least the `public_repo` scope: + + -github-token="": the token to use when verifying repository collaborators + +To allow a user to log in with their username even if they do not belong to the specified org and team or collaborators, +separated by a comma + + -github-user="": allow logins by username, separated by a comma + +If you are using GitHub enterprise, make sure you set the following to the appropriate url: + + -login-url="http(s):///login/oauth/authorize" + -redeem-url="http(s):///login/oauth/access_token" + -validate-url="http(s):///api/v3" diff --git a/docs/docs/configuration/providers/gitlab.md b/docs/docs/configuration/providers/gitlab.md new file mode 100644 index 0000000000..3cef7afc2c --- /dev/null +++ b/docs/docs/configuration/providers/gitlab.md @@ -0,0 +1,36 @@ +--- +id: gitlab +title: GitLab +--- + +This auth provider has been tested against Gitlab version 12.X. Due to Gitlab API changes, it may not work for version +prior to 12.X (see [994](https://github.com/oauth2-proxy/oauth2-proxy/issues/994)). + +Whether you are using GitLab.com or self-hosting GitLab, follow +[these steps to add an application](https://docs.gitlab.com/ce/integration/oauth_provider.html). Make sure to enable at +least the `openid`, `profile` and `email` scopes, and set the redirect url to your application url e.g. +https://myapp.com/oauth2/callback. + +If you need projects filtering, add the extra `read_api` scope to your application. + +The following config should be set to ensure that the oauth will work properly. To get a cookie secret follow +[these steps](../overview.md#generating-a-cookie-secret) + +``` + --provider="gitlab" + --redirect-url="https://myapp.com/oauth2/callback" // Should be the same as the redirect url for the application in gitlab + --client-id=GITLAB_CLIENT_ID + --client-secret=GITLAB_CLIENT_SECRET + --cookie-secret=COOKIE_SECRET +``` + +Restricting by group membership is possible with the following option: + + --gitlab-group="mygroup,myothergroup": restrict logins to members of any of these groups (slug), separated by a comma + +If you are using self-hosted GitLab, make sure you set the following to the appropriate URL: + + --oidc-issuer-url="" + +If your self-hosted GitLab is on a subdirectory (e.g. domain.tld/gitlab), as opposed to its own subdomain +(e.g. gitlab.domain.tld), you may need to add a redirect from domain.tld/oauth pointing at e.g. domain.tld/gitlab/oauth. diff --git a/docs/docs/configuration/providers/google.md b/docs/docs/configuration/providers/google.md new file mode 100644 index 0000000000..28d95b8287 --- /dev/null +++ b/docs/docs/configuration/providers/google.md @@ -0,0 +1,63 @@ +--- +id: google +title: Google (default) +--- + +For Google, the registration steps are: + +1. Create a new project: https://console.developers.google.com/project +2. Choose the new project from the top right project dropdown (only if another project is selected) +3. In the project Dashboard center pane, choose **"APIs & Services"** +4. In the left Nav pane, choose **"Credentials"** +5. In the center pane, choose **"OAuth consent screen"** tab. Fill in **"Product name shown to users"** and hit save. +6. In the center pane, choose **"Credentials"** tab. + - Open the **"New credentials"** drop down + - Choose **"OAuth client ID"** + - Choose **"Web application"** + - Application name is freeform, choose something appropriate + - Authorized JavaScript origins is your domain ex: `https://internal.yourcompany.com` + - Authorized redirect URIs is the location of oauth2/callback ex: `https://internal.yourcompany.com/oauth2/callback` + - Choose **"Create"** +7. Take note of the **Client ID** and **Client Secret** + +It's recommended to refresh sessions on a short interval (1h) with `cookie-refresh` setting which validates that the +account is still authorized. + +#### Restrict auth to specific Google groups on your domain. (optional) + +1. Create a [service account](https://developers.google.com/identity/protocols/OAuth2ServiceAccount) and configure it + to use [Application Default Credentials / Workload Identity / Workload Identity Federation (recommended)](#using-application-default-credentials-adc--workload-identity--workload-identity-federation-recommended) or, + alternatively download the JSON. +2. Make note of the Client ID for a future step. +3. Under "APIs & Auth", choose APIs. +4. Click on Admin SDK and then Enable API. +5. Follow the steps on https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account + and give the client id from step 2 the following oauth scopes: + + ``` + https://www.googleapis.com/auth/admin.directory.group.readonly + https://www.googleapis.com/auth/admin.directory.user.readonly + ``` + +6. Follow the steps on https://support.google.com/a/answer/60757 to enable Admin API access. +7. Create or choose an existing administrative email address on the Gmail domain to assign to the `google-admin-email` + flag. This email will be impersonated by this client to make calls to the Admin SDK. See the note on the link from + step 5 for the reason why. +8. Create or choose an existing email group and set that email to the `google-group` flag. You can pass multiple instances + of this flag with different groups and the user will be checked against all the provided groups. + +(Only if using a JSON file (see step 1)) +9. Lock down the permissions on the json file downloaded from step 1 so only oauth2-proxy is able to read the file and + set the path to the file in the `google-service-account-json` flag. +10. Restart oauth2-proxy. + +Note: The user is checked against the group members list on initial authentication and every time the token is +refreshed ( about once an hour ). + +##### Using Application Default Credentials (ADC) / Workload Identity / Workload Identity Federation (recommended) +oauth2-proxy can make use of [Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials). +When deployed within GCP, this means that it can automatically use the service account attached to the resource. When deployed to GKE, ADC +can be leveraged through a feature called Workload Identity. Follow Google's [guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) +to set up Workload Identity. + +When deployed outside of GCP, [Workload Identity Federation](https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif) might be an option. diff --git a/docs/docs/configuration/providers/index.md b/docs/docs/configuration/providers/index.md new file mode 100644 index 0000000000..fee7b12b03 --- /dev/null +++ b/docs/docs/configuration/providers/index.md @@ -0,0 +1,42 @@ +--- +id: index +title: OAuth Provider Configuration +--- + +You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it +with Redirect URI(s) for the domain you intend to run `oauth2-proxy` on. + +Valid providers are : + +- [Google](google.md) _default_ +- [Azure](azure.md) +- [ADFS](adfs.md) +- [Facebook](facebook.md) +- [GitHub](github.md) +- [Gitea](gitea.md) +- [Keycloak](keycloak.md)/[Keycloak OIDC](keycloak_oidc.md) +- [GitLab](gitlab.md) +- [LinkedIn](linkedin.md) +- [Microsoft Azure AD](azure_ad.md) +- [OpenID Connect](openid_connect.md) +- [login.gov](login_gov.md) +- [Nextcloud](nextcloud.md) +- [DigitalOcean](digitalocean.md) +- [Bitbucket](bitbucket.md) + +The provider can be selected using the `provider` configuration value. + +Please note that not all providers support all claims. The `preferred_username` claim is currently only supported by the +OpenID Connect provider. + +## Email Authentication + +To authorize a specific email-domain use `--email-domain=yourcompany.com`. To authorize individual email addresses use +`--authenticated-emails-file=/path/to/file` with one email per line. To authorize all email addresses use `--email-domain=*`. + +## Adding a new Provider + +Follow the examples in the [`providers` package](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/) to define a new +`Provider` instance. Add a new `case` to +[`providers.New()`](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go) to allow `oauth2-proxy` to use the +new `Provider`. diff --git a/docs/docs/configuration/providers/keycloak.md b/docs/docs/configuration/providers/keycloak.md new file mode 100644 index 0000000000..1becea5890 --- /dev/null +++ b/docs/docs/configuration/providers/keycloak.md @@ -0,0 +1,36 @@ +--- +id: keycloak +title: Keycloak +--- + +:::note +This is the legacy provider for Keycloak, use [Keycloak OIDC Auth Provider](keycloak_oidc.md) if possible. +::: + +1. Create new client in your Keycloak realm with **Access Type** 'confidential' and **Valid Redirect URIs** 'https://internal.yourcompany.com/oauth2/callback' +2. Take note of the Secret in the credential tab of the client +3. Create a mapper with **Mapper Type** 'Group Membership' and **Token Claim Name** 'groups'. + +Make sure you set the following to the appropriate url: + +``` + --provider=keycloak + --client-id= + --client-secret= + --login-url="http(s):///auth/realms//protocol/openid-connect/auth" + --redeem-url="http(s):///auth/realms//protocol/openid-connect/token" + --profile-url="http(s):///auth/realms//protocol/openid-connect/userinfo" + --validate-url="http(s):///auth/realms//protocol/openid-connect/userinfo" + --keycloak-group= + --keycloak-group= +``` + +For group based authorization, the optional `--keycloak-group` (legacy) or `--allowed-group` (global standard) +flags can be used to specify which groups to limit access to. + +If these are unset but a `groups` mapper is set up above in step (3), the provider will still +populate the `X-Forwarded-Groups` header to your upstream server with the `groups` data in the +Keycloak userinfo endpoint response. + +The group management in keycloak is using a tree. If you create a group named admin in keycloak +you should define the 'keycloak-group' value to /admin. diff --git a/docs/docs/configuration/providers/keycloak_oidc.md b/docs/docs/configuration/providers/keycloak_oidc.md new file mode 100644 index 0000000000..4e012f493d --- /dev/null +++ b/docs/docs/configuration/providers/keycloak_oidc.md @@ -0,0 +1,143 @@ +--- +id: keycloak_oidc +title: Keycloak OIDC +--- + +``` + --provider=keycloak-oidc + --client-id= + --client-secret= + --redirect-url=https://internal.yourcompany.com/oauth2/callback + --oidc-issuer-url=https:///realms/ // For Keycloak versions <17: --oidc-issuer-url=https:///auth/realms/ + --email-domain= // Validate email domain for users, see option documentation + --allowed-role= // Optional, required realm role + --allowed-role=: // Optional, required client role + --allowed-group= // Optional, requires group client scope + --code-challenge-method=S256 // PKCE +``` + +:::note +Keycloak has updated its admin console and as of version 19.0.0, the new admin console is enabled by default. The +legacy admin console has been announced for removal with the release of version 21.0.0. +::: + +**Keycloak legacy admin console** + +1. Create new client in your Keycloak realm with **Access Type** 'confidential', **Client protocol** 'openid-connect' + and **Valid Redirect URIs** 'https://internal.yourcompany.com/oauth2/callback' +2. Take note of the Secret in the credential tab of the client +3. Create a mapper with **Mapper Type** 'Group Membership' and **Token Claim Name** 'groups'. +4. Create a mapper with **Mapper Type** 'Audience' and **Included Client Audience** and **Included Custom Audience** set + to your client name. + +**Keycloak new admin console (default as of v19.0.0)** + +The following example shows how to create a simple OIDC client using the new Keycloak admin2 console. However, for best +practices, it is recommended to consult the Keycloak documentation. + +The OIDC client must be configured with an _audience mapper_ to include the client's name in the `aud` claim of the JWT token. +The `aud` claim specifies the intended recipient of the token, and OAuth2 Proxy expects a match against the values of +either `--client-id` or `--oidc-extra-audience`. + +_In Keycloak, claims are added to JWT tokens through the use of mappers at either the realm level using "client scopes" or +through "dedicated" client mappers._ + +**Creating the client** + +1. Create a new OIDC client in your Keycloak realm by navigating to: + **Clients** -> **Create client** + * **Client Type** 'OpenID Connect' + * **Client ID** ``, please complete the remaining fields as appropriate and click **Next**. + * **Client authentication** 'On' + * **Authentication flow** + * **Standard flow** 'selected' + * **Direct access grants** 'deselect' + * _Save the configuration._ + * **Settings / Access settings**: + * **Valid redirect URIs** `https://internal.yourcompany.com/oauth2/callback` + * _Save the configuration._ + * Under the **Credentials** tab you will now be able to locate ``. +2. Configure a dedicated *audience mapper* for your client by navigating to **Clients** -> **** -> **Client scopes**. +* Access the dedicated mappers pane by clicking **-dedicated**, located under *Assigned client scope*. + _(It should have a description of "Dedicated scope and mappers for this client")_ + * Click **Configure a new mapper** and select **Audience** + * **Name** 'aud-mapper-' + * **Included Client Audience** select `` from the dropdown. + * _OAuth2 proxy can be set up to pass both the access and ID JWT tokens to your upstream services. + If you require additional audience entries, you can use the **Included Custom Audience** field in addition + to the "Included Client Audience" dropdown. Note that the "aud" claim of a JWT token should be limited and + only specify its intended recipients._ + * **Add to ID token** 'On' + * **Add to access token** 'On' - [#1916](https://github.com/oauth2-proxy/oauth2-proxy/pull/1916) + * _Save the configuration._ +* Any subsequent dedicated client mappers can be defined by clicking **Dedicated scopes** -> **Add mapper** -> + **By configuration** -> *Select mapper* + +You should now be able to create a test user in Keycloak and get access to the OAuth2 Proxy instance, make sure to set +an email address matching `` and select _Email verified_. + +**Authorization** + +_OAuth2 Proxy will perform authorization by requiring a valid user, this authorization can be extended to take into +account a user's membership in Keycloak `groups`, `realm roles`, and `client roles` using the keycloak-oidc provider options +`--allowed-role` or `--allowed-group`_ + +**Roles** + +_A standard Keycloak installation comes with the required mappers for **realm roles** and **client roles** through the +pre-defined client scope "roles". This ensures that any roles assigned to a user are included in the `JWT` tokens when +using an OIDC client that has the "Full scope allowed" feature activated, the feature is enabled by default._ + +_Creating a realm role_ +* Navigate to **Realm roles** -> **Create role** + * **Role name**, *``* -> **save** + +_Creating a client role_ +* Navigate to **Clients** -> `` -> **Roles** -> **Create role** + * **Role name**, *``* -> **save** + + +_Assign a role to a user_ + +**Users** -> _Username_ -> **Role mapping** -> **Assign role** -> _filter by roles or clients and select_ -> **Assign**. + +Keycloak "realm roles" can be authorized using the `--allowed-role=` option, while "client roles" can be +evaluated using `--allowed-role=:`. + +You may limit the _realm roles_ included in the JWT tokens for any given client by navigating to: +**Clients** -> `` -> **Client scopes** -> _-dedicated_ -> **Scope** +Disabling **Full scope allowed** activates the **Assign role** option, allowing you to select which roles, if assigned +to a user, will be included in the user's JWT tokens. This can be useful when a user has many associated roles, and you +want to reduce the size and impact of the JWT token. + + +**Groups** + +You may also do authorization on group memberships by using the OAuth2 Proxy option `--allowed-group`. +We will only do a brief description of creating the required _client scope_ **groups** and refer you to read the Keycloak +documentation. + +To summarize, the steps required to authorize Keycloak group membership with OAuth2 Proxy are as follows: + +* Create a new Client Scope with the name **groups** in Keycloak. + * Include a mapper of type **Group Membership**. + * Set the "Token Claim Name" to **groups** or customize by matching it to the `--oidc-groups-claim` option of OAuth2 Proxy. + * If the "Full group path" option is selected, you need to include a "/" separator in the group names defined in the + `--allowed-group` option of OAuth2 Proxy. Example: "/groupname" or "/groupname/child_group". + +After creating the _Client Scope_ named _groups_ you will need to attach it to your client. +**Clients** -> `` -> **Client scopes** -> **Add client scope** -> Select **groups** and choose Optional +and you should now have a client that maps group memberships into the JWT tokens so that Oauth2 Proxy may evaluate them. + +Create a group by navigating to **Groups** -> **Create group** and _add_ your test user as a member. + +The OAuth2 Proxy option `--allowed-group=/groupname` will now allow you to filter on group membership + +Keycloak also has the option of attaching roles to groups, please refer to the Keycloak documentation for more information. + +**Tip** + +To check if roles or groups are added to JWT tokens, you can preview a users token in the Keycloak console by following +these steps: **Clients** -> `` -> **Client scopes** -> **Evaluate**. +Select a _realm user_ and optional _scope parameters_ such as groups, and generate the JSON representation of an access +or id token to examine its contents. diff --git a/docs/docs/configuration/providers/linkedin.md b/docs/docs/configuration/providers/linkedin.md new file mode 100644 index 0000000000..7d26ec4334 --- /dev/null +++ b/docs/docs/configuration/providers/linkedin.md @@ -0,0 +1,13 @@ +--- +id: linkedin +title: LinkedIn +--- + +For LinkedIn, the registration steps are: + +1. Create a new project: https://www.linkedin.com/secure/developer +2. In the OAuth User Agreement section: + - In default scope, select r_basicprofile and r_emailaddress. + - In "OAuth 2.0 Redirect URLs", enter `https://internal.yourcompany.com/oauth2/callback` +3. Fill in the remaining required fields and Save. +4. Take note of the **Consumer Key / API Key** and **Consumer Secret / Secret Key** diff --git a/docs/docs/configuration/providers/login_gov.md b/docs/docs/configuration/providers/login_gov.md new file mode 100644 index 0000000000..badbe48e69 --- /dev/null +++ b/docs/docs/configuration/providers/login_gov.md @@ -0,0 +1,79 @@ +--- +id: login_gov +title: Login.gov +--- + +login.gov is an OIDC provider for the US Government. +If you are a US Government agency, you can contact the login.gov team through the contact information +that you can find on https://login.gov/developers/ and work with them to understand how to get login.gov +accounts for integration/test and production access. + +A developer guide is available here: https://developers.login.gov/, though this proxy handles everything +but the data you need to create to register your application in the login.gov dashboard. + +As a demo, we will assume that you are running your application that you want to secure locally on +http://localhost:3000/, that you will be starting your proxy up on http://localhost:4180/, and that +you have an agency integration account for testing. + +First, register your application in the dashboard. The important bits are: +* Identity protocol: make this `Openid connect` +* Issuer: do what they say for OpenID Connect. We will refer to this string as `${LOGINGOV_ISSUER}`. +* Public key: This is a self-signed certificate in .pem format generated from a 2048-bit RSA private key. + A quick way to do this is + `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650 -nodes -subj '/C=US/ST=Washington/L=DC/O=GSA/OU=18F/CN=localhost'`. + The contents of the `key.pem` shall be referred to as `${OAUTH2_PROXY_JWT_KEY}`. +* Return to App URL: Make this be `http://localhost:4180/` +* Redirect URIs: Make this be `http://localhost:4180/oauth2/callback`. +* Attribute Bundle: Make sure that email is selected. + +Now start the proxy up with the following options: +``` +./oauth2-proxy -provider login.gov \ + -client-id=${LOGINGOV_ISSUER} \ + -redirect-url=http://localhost:4180/oauth2/callback \ + -oidc-issuer-url=https://idp.int.identitysandbox.gov/ \ + -cookie-secure=false \ + -email-domain=gsa.gov \ + -upstream=http://localhost:3000/ \ + -cookie-secret=somerandomstring12341234567890AB \ + -cookie-domain=localhost \ + -skip-provider-button=true \ + -pubjwk-url=https://idp.int.identitysandbox.gov/api/openid_connect/certs \ + -profile-url=https://idp.int.identitysandbox.gov/api/openid_connect/userinfo \ + -jwt-key="${OAUTH2_PROXY_JWT_KEY}" +``` +You can also set all these options with environment variables, for use in cloud/docker environments. +One tricky thing that you may encounter is that some cloud environments will pass in environment +variables in a docker env-file, which does not allow multiline variables like a PEM file. +If you encounter this, then you can create a `jwt_signing_key.pem` file in the top level +directory of the repo which contains the key in PEM format and then do your docker build. +The docker build process will copy that file into your image which you can then access by +setting the `OAUTH2_PROXY_JWT_KEY_FILE=/etc/ssl/private/jwt_signing_key.pem` +environment variable, or by setting `--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem` on the commandline. + +Once it is running, you should be able to go to `http://localhost:4180/` in your browser, +get authenticated by the login.gov integration server, and then get proxied on to your +application running on `http://localhost:3000/`. In a real deployment, you would secure +your application with a firewall or something so that it was only accessible from the +proxy, and you would use real hostnames everywhere. + +#### Skip OIDC discovery + +Some providers do not support OIDC discovery via their issuer URL, so oauth2-proxy cannot simply grab the authorization, +token and jwks URI endpoints from the provider's metadata. + +In this case, you can set the `--skip-oidc-discovery` option, and supply those required endpoints manually: + +``` + -provider oidc + -client-id oauth2-proxy + -client-secret proxy + -redirect-url http://127.0.0.1:4180/oauth2/callback + -oidc-issuer-url http://127.0.0.1:5556 + -skip-oidc-discovery + -login-url http://127.0.0.1:5556/authorize + -redeem-url http://127.0.0.1:5556/token + -oidc-jwks-url http://127.0.0.1:5556/keys + -cookie-secure=false + -email-domain example.com +``` diff --git a/docs/docs/configuration/providers/nextcloud.md b/docs/docs/configuration/providers/nextcloud.md new file mode 100644 index 0000000000..85ebff0398 --- /dev/null +++ b/docs/docs/configuration/providers/nextcloud.md @@ -0,0 +1,28 @@ +--- +id: nextcloud +title: NextCloud +--- + +The Nextcloud provider allows you to authenticate against users in your +Nextcloud instance. + +When you are using the Nextcloud provider, you must specify the urls via +configuration, environment variable, or command line argument. Depending +on whether your Nextcloud instance is using pretty urls your urls may be of the +form `/index.php/apps/oauth2/*` or `/apps/oauth2/*`. + +Refer to the [OAuth2 +documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/oauth2.html) +to set up the client id and client secret. Your "Redirection URI" will be +`https://internalapp.yourcompany.com/oauth2/callback`. + +``` + -provider nextcloud + -client-id + -client-secret + -login-url="/index.php/apps/oauth2/authorize" + -redeem-url="/index.php/apps/oauth2/api/v1/token" + -validate-url="/ocs/v2.php/cloud/user?format=json" +``` + +Note: in *all* cases the validate-url will *not* have the `index.php`. diff --git a/docs/docs/configuration/providers/openid_connect.md b/docs/docs/configuration/providers/openid_connect.md new file mode 100644 index 0000000000..439053a51f --- /dev/null +++ b/docs/docs/configuration/providers/openid_connect.md @@ -0,0 +1,146 @@ +--- +id: openid_connect +title: OpenID Connect +--- + +OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many major providers and several open source projects. + +This provider was originally built against CoreOS Dex, and we will use it as an example. +The OpenID Connect Provider (OIDC) can also be used to connect to other Identity Providers such as Okta, an example can be found below. + +#### Dex + +To configure the OIDC provider for Dex, perform the following steps: + +1. Download Dex: + + ``` + go get github.com/dexidp/dex + ``` + + See the [getting started guide](https://dexidp.io/docs/getting-started/) for more details. + +2. Setup oauth2-proxy with the correct provider and using the default ports and callbacks. Add a configuration block to + the `staticClients` section of `examples/config-dev.yaml`: + + ``` + - id: oauth2-proxy + redirectURIs: + - 'http://127.0.0.1:4180/oauth2/callback' + name: 'oauth2-proxy' + secret: proxy + ``` + +3. Launch Dex: from `$GOPATH/github.com/dexidp/dex`, run: + + ``` + bin/dex serve examples/config-dev.yaml + ``` + +4. In a second terminal, run the oauth2-proxy with the following args: + + ``` + -provider oidc + -provider-display-name "My OIDC Provider" + -client-id oauth2-proxy + -client-secret proxy + -redirect-url http://127.0.0.1:4180/oauth2/callback + -oidc-issuer-url http://127.0.0.1:5556/dex + -cookie-secure=false + -cookie-secret=secret + -email-domain kilgore.trout + ``` + + To serve the current working directory as a website under the `/static` endpoint, add: + + ``` + -upstream file://$PWD/#/static/ + ``` + +5. Test the setup by visiting http://127.0.0.1:4180 or http://127.0.0.1:4180/static . + +See also [our local testing environment](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/local-environment) for a self-contained example using Docker and etcd as storage for Dex. + +#### Okta + +To configure the OIDC provider for Okta, perform the following steps: + +1. Log in to Okta using an administrative account. It is suggested you try this in preview first, `example.oktapreview.com` +2. (OPTIONAL) If you want to configure authorization scopes and claims to be passed on to multiple applications, + you may wish to configure an authorization server for each application. Otherwise, the provided `default` will work. + * Navigate to **Security** then select **API** + * Click **Add Authorization Server**, if this option is not available you may require an additional license for a custom + authorization server. + * Fill out the **Name** with something to describe the application you are protecting. e.g. 'Example App'. + * For **Audience**, pick the URL of the application you wish to protect: https://example.corp.com + * Fill out a **Description** + * Add any **Access Policies** you wish to configure to limit application access. + * The default settings will work for other options. + [See Okta documentation for more information on Authorization Servers](https://developer.okta.com/docs/guides/customize-authz-server/overview/) +3. Navigate to **Applications** then select **Add Application**. + * Select **Web** for the **Platform** setting. + * Select **OpenID Connect** and click **Create** + * Pick an **Application Name** such as `Example App`. + * Set the **Login redirect URI** to `https://example.corp.com`. + * Under **General** set the **Allowed grant types** to `Authorization Code` and `Refresh Token`. + * Leave the rest as default, taking note of the `Client ID` and `Client Secret`. + * Under **Assignments** select the users or groups you wish to access your application. +4. Create a configuration file like the following: + + ``` + provider = "oidc" + redirect_url = "https://example.corp.com/oauth2/callback" + oidc_issuer_url = "https://corp.okta.com/oauth2/abCd1234" + upstreams = [ + "https://example.corp.com" + ] + email_domains = [ + "corp.com" + ] + client_id = "XXXXX" + client_secret = "YYYYY" + pass_access_token = true + cookie_secret = "ZZZZZ" + skip_provider_button = true + ``` + +The `oidc_issuer_url` is based on URL from your **Authorization Server**'s **Issuer** field in step 2, or simply +https://corp.okta.com. The `client_id` and `client_secret` are configured in the application settings. +Generate a unique `cookie_secret` to encrypt the cookie. + +Then you can start the oauth2-proxy with `./oauth2-proxy --config /etc/example.cfg` + +#### Okta - localhost + +1. Signup for developer account: https://developer.okta.com/signup/ +2. Create New `Web` Application: https://${your-okta-domain}/dev/console/apps/new +3. Example Application Settings for localhost: + * **Name:** My Web App + * **Base URIs:** http://localhost:4180/ + * **Login redirect URIs:** http://localhost:4180/oauth2/callback + * **Logout redirect URIs:** http://localhost:4180/ + * **Group assignments:** `Everyone` + * **Grant type allowed:** `Authorization Code` and `Refresh Token` +4. Make note of the `Client ID` and `Client secret`, they are needed in a future step +5. Make note of the **default** Authorization Server Issuer URI from: https://${your-okta-domain}/admin/oauth2/as +6. Example config file `/etc/localhost.cfg` + ``` + provider = "oidc" + redirect_url = "http://localhost:4180/oauth2/callback" + oidc_issuer_url = "https://${your-okta-domain}/oauth2/default" + upstreams = [ + "http://0.0.0.0:8080" + ] + email_domains = [ + "*" + ] + client_id = "XXX" + client_secret = "YYY" + pass_access_token = true + cookie_secret = "ZZZ" + cookie_secure = false + skip_provider_button = true + # Note: use the following for testing within a container + # http_address = "0.0.0.0:4180" + ``` +7. Then you can start the oauth2-proxy with `./oauth2-proxy --config /etc/localhost.cfg` diff --git a/docs/docs/configuration/sessions.md b/docs/docs/configuration/sessions.md index 3a0706e755..fa8657afac 100644 --- a/docs/docs/configuration/sessions.md +++ b/docs/docs/configuration/sessions.md @@ -32,7 +32,7 @@ users to re-authenticate ### Redis Storage -The Redis Storage backend stores sessions, encrypted, in redis. Instead sending all the information +The Redis Storage backend stores encrypted sessions in redis. Instead of sending all the information back the client for storage, as in the [Cookie storage](#cookie-storage), a ticket is sent back to the user as the cookie value instead. @@ -43,16 +43,15 @@ A ticket is composed as the following: Where: - The `CookieName` is the OAuth2 cookie name (_oauth2_proxy by default) -- The `ticketID` is a 128 bit random number, hex-encoded -- The `secret` is a 128 bit random number, base64url encoded (no padding). The secret is unique for every session. +- The `ticketID` is a 128-bit random number, hex-encoded +- The `secret` is a 128-bit random number, base64url encoded (no padding). The secret is unique for every session. - The pair of `{CookieName}-{ticketID}` comprises a ticket handle, and thus, the redis key to which the session is stored. The encoded session is encrypted with the secret and stored in redis via the `SETEX` command. Encrypting every session uniquely protects the refresh/access/id tokens stored in the session from -disclosure. - -Additionally the browser only has to send a short Cookie with every request and not the whole JWT, which can get quite big. +disclosure. Additionally, the browser only has to send a short Cookie with every request and not the whole JWT, +which can get quite big. Two settings are used to configure the OAuth2 Proxy cookie lifetime: @@ -76,8 +75,8 @@ For this reason, it's advised to set the cookie-refresh a couple of seconds less Recommended settings: -* cookie\_refresh := Access-Token lifespan - 1m -* cookie\_expire := Refresh-Token lifespan (i.e. Keycloak's client\_session\_idle) +* cookie_refresh := Access-Token lifespan - 1m +* cookie_expire := Refresh-Token lifespan (i.e. Keycloak client_session_idle) #### Usage diff --git a/docs/docs/features/endpoints.md b/docs/docs/features/endpoints.md index e3b5f0bbcc..8081f632d6 100644 --- a/docs/docs/features/endpoints.md +++ b/docs/docs/features/endpoints.md @@ -9,7 +9,7 @@ OAuth2 Proxy responds directly to the following endpoints. All other endpoints w - /ping - returns a 200 OK response, which is intended for use with health checks - /ready - returns a 200 OK response if all the underlying connections (e.g., Redis store) are connected - /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by `--metrics-address`, disabled by default -- /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies) +- /oauth2/sign_in - the login page, which also doubles as a sign-out page (it clears cookies) - /oauth2/sign_out - this URL is used to clear the session cookie - /oauth2/start - a URL that will redirect to start the OAuth cycle - /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url. @@ -19,7 +19,7 @@ OAuth2 Proxy responds directly to the following endpoints. All other endpoints w ### Sign out -To sign the user out, redirect them to `/oauth2/sign_out`. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the `rd` query parameter, i.e. redirect the user to something like (notice the url-encoding!): +To sign the user out, redirect them to `/oauth2/sign_out`. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign-out page afterward using the `rd` query parameter, i.e. redirect the user to something like (notice the url-encoding!): ``` /oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page @@ -41,7 +41,7 @@ BEWARE that the domain you want to redirect to (`my-oidc-provider.example.com` i This endpoint returns 202 Accepted response or a 401 Unauthorized response. -It can be configured using the following query parameters query parameters: +It can be configured using the following query parameters: - `allowed_groups`: comma separated list of allowed groups - `allowed_email_domains`: comma separated list of allowed email domains -- `allowed_emails`: comma separated list of allowed emails \ No newline at end of file +- `allowed_emails`: comma separated list of allowed emails diff --git a/docs/docs/installation.md b/docs/docs/installation.md index 2be4c6a00b..154508dd27 100644 --- a/docs/docs/installation.md +++ b/docs/docs/installation.md @@ -14,13 +14,13 @@ slug: / d. Using a [Kubernetes manifest](https://github.com/oauth2-proxy/manifests) (Helm) -Prebuilt binaries can be validated by extracting the file and verifying it against the `sha256sum.txt` checksum file provided for each release starting with version `v3.0.0`. - -``` -$ sha256sum -c sha256sum.txt -oauth2-proxy-x.y.z.linux-amd64: OK -``` - -2. [Select a Provider and Register an OAuth Application with a Provider](configuration/auth.md) + Prebuilt binaries can be validated by extracting the file and verifying it against the `sha256sum.txt` checksum file provided for each release starting with version `v3.0.0`. + + ``` + $ sha256sum -c sha256sum.txt + oauth2-proxy-x.y.z.linux-amd64: OK + ``` + +2. [Select a Provider and Register an OAuth Application with a Provider](configuration/providers/index.md) 3. [Configure OAuth2 Proxy using config file, command line options, or environment variables](configuration/overview.md) -4. [Configure SSL or Deploy behind a SSL endpoint](configuration/tls.md) (example provided for Nginx) +4. [Configure SSL or Deploy behind an SSL endpoint](configuration/tls.md) (example provided for Nginx) diff --git a/docs/docusaurus.config.js b/docs/docusaurus.config.js index ef1718eec4..ecd63b430d 100644 --- a/docs/docusaurus.config.js +++ b/docs/docusaurus.config.js @@ -37,6 +37,9 @@ module.exports = { style: 'dark', copyright: `Copyright © ${new Date().getFullYear()} OAuth2 Proxy.`, }, + prism: { + additionalLanguages: ['hcl', 'powershell'], + }, }, presets: [ [ diff --git a/docs/package-lock.json b/docs/package-lock.json index c2e99a72fc..826b74aedd 100644 --- a/docs/package-lock.json +++ b/docs/package-lock.json @@ -8,8 +8,8 @@ "name": "docusaurus", "version": "0.0.0", "dependencies": { - "@docusaurus/core": "^2.0.0-beta.15", - "@docusaurus/preset-classic": "^2.0.0-beta.15", + "@docusaurus/core": "^2.4.3", + "@docusaurus/preset-classic": "^2.4.3", "@easyops-cn/docusaurus-search-local": "^0.29.0", "@mdx-js/react": "^1.6.22", "clsx": "^1.1.1", @@ -59,74 +59,74 @@ } }, "node_modules/@algolia/cache-browser-local-storage": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/cache-browser-local-storage/-/cache-browser-local-storage-4.19.1.tgz", - "integrity": "sha512-FYAZWcGsFTTaSAwj9Std8UML3Bu8dyWDncM7Ls8g+58UOe4XYdlgzXWbrIgjaguP63pCCbMoExKr61B+ztK3tw==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/cache-browser-local-storage/-/cache-browser-local-storage-4.20.0.tgz", + "integrity": "sha512-uujahcBt4DxduBTvYdwO3sBfHuJvJokiC3BP1+O70fglmE1ShkH8lpXqZBac1rrU3FnNYSUs4pL9lBdTKeRPOQ==", "dependencies": { - "@algolia/cache-common": "4.19.1" + "@algolia/cache-common": "4.20.0" } }, "node_modules/@algolia/cache-common": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/cache-common/-/cache-common-4.19.1.tgz", - "integrity": "sha512-XGghi3l0qA38HiqdoUY+wvGyBsGvKZ6U3vTiMBT4hArhP3fOGLXpIINgMiiGjTe4FVlTa5a/7Zf2bwlIHfRqqg==" + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/cache-common/-/cache-common-4.20.0.tgz", + "integrity": "sha512-vCfxauaZutL3NImzB2G9LjLt36vKAckc6DhMp05An14kVo8F1Yofb6SIl6U3SaEz8pG2QOB9ptwM5c+zGevwIQ==" }, "node_modules/@algolia/cache-in-memory": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/cache-in-memory/-/cache-in-memory-4.19.1.tgz", - "integrity": "sha512-+PDWL+XALGvIginigzu8oU6eWw+o76Z8zHbBovWYcrtWOEtinbl7a7UTt3x3lthv+wNuFr/YD1Gf+B+A9V8n5w==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/cache-in-memory/-/cache-in-memory-4.20.0.tgz", + "integrity": "sha512-Wm9ak/IaacAZXS4mB3+qF/KCoVSBV6aLgIGFEtQtJwjv64g4ePMapORGmCyulCFwfePaRAtcaTbMcJF+voc/bg==", "dependencies": { - "@algolia/cache-common": "4.19.1" + "@algolia/cache-common": "4.20.0" } }, "node_modules/@algolia/client-account": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/client-account/-/client-account-4.19.1.tgz", - "integrity": "sha512-Oy0ritA2k7AMxQ2JwNpfaEcgXEDgeyKu0V7E7xt/ZJRdXfEpZcwp9TOg4TJHC7Ia62gIeT2Y/ynzsxccPw92GA==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/client-account/-/client-account-4.20.0.tgz", + "integrity": "sha512-GGToLQvrwo7am4zVkZTnKa72pheQeez/16sURDWm7Seyz+HUxKi3BM6fthVVPUEBhtJ0reyVtuK9ArmnaKl10Q==", "dependencies": { - "@algolia/client-common": "4.19.1", - "@algolia/client-search": "4.19.1", - "@algolia/transporter": "4.19.1" + "@algolia/client-common": "4.20.0", + "@algolia/client-search": "4.20.0", + "@algolia/transporter": "4.20.0" } }, "node_modules/@algolia/client-analytics": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/client-analytics/-/client-analytics-4.19.1.tgz", - "integrity": "sha512-5QCq2zmgdZLIQhHqwl55ZvKVpLM3DNWjFI4T+bHr3rGu23ew2bLO4YtyxaZeChmDb85jUdPDouDlCumGfk6wOg==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/client-analytics/-/client-analytics-4.20.0.tgz", + "integrity": "sha512-EIr+PdFMOallRdBTHHdKI3CstslgLORQG7844Mq84ib5oVFRVASuuPmG4bXBgiDbcsMLUeOC6zRVJhv1KWI0ug==", "dependencies": { - "@algolia/client-common": "4.19.1", - "@algolia/client-search": "4.19.1", - "@algolia/requester-common": "4.19.1", - "@algolia/transporter": "4.19.1" + "@algolia/client-common": "4.20.0", + "@algolia/client-search": "4.20.0", + "@algolia/requester-common": "4.20.0", + "@algolia/transporter": "4.20.0" } }, "node_modules/@algolia/client-common": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-4.19.1.tgz", - "integrity": "sha512-3kAIVqTcPrjfS389KQvKzliC559x+BDRxtWamVJt8IVp7LGnjq+aVAXg4Xogkur1MUrScTZ59/AaUd5EdpyXgA==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-4.20.0.tgz", + "integrity": "sha512-P3WgMdEss915p+knMMSd/fwiHRHKvDu4DYRrCRaBrsfFw7EQHon+EbRSm4QisS9NYdxbS04kcvNoavVGthyfqQ==", "dependencies": { - "@algolia/requester-common": "4.19.1", - "@algolia/transporter": "4.19.1" + "@algolia/requester-common": "4.20.0", + "@algolia/transporter": "4.20.0" } }, "node_modules/@algolia/client-personalization": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/client-personalization/-/client-personalization-4.19.1.tgz", - "integrity": "sha512-8CWz4/H5FA+krm9HMw2HUQenizC/DxUtsI5oYC0Jxxyce1vsr8cb1aEiSJArQT6IzMynrERif1RVWLac1m36xw==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/client-personalization/-/client-personalization-4.20.0.tgz", + "integrity": "sha512-N9+zx0tWOQsLc3K4PVRDV8GUeOLAY0i445En79Pr3zWB+m67V+n/8w4Kw1C5LlbHDDJcyhMMIlqezh6BEk7xAQ==", "dependencies": { - "@algolia/client-common": "4.19.1", - "@algolia/requester-common": "4.19.1", - "@algolia/transporter": "4.19.1" + "@algolia/client-common": "4.20.0", + "@algolia/requester-common": "4.20.0", + "@algolia/transporter": "4.20.0" } }, "node_modules/@algolia/client-search": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/client-search/-/client-search-4.19.1.tgz", - "integrity": "sha512-mBecfMFS4N+yK/p0ZbK53vrZbL6OtWMk8YmnOv1i0LXx4pelY8TFhqKoTit3NPVPwoSNN0vdSN9dTu1xr1XOVw==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/client-search/-/client-search-4.20.0.tgz", + "integrity": "sha512-zgwqnMvhWLdpzKTpd3sGmMlr4c+iS7eyyLGiaO51zDZWGMkpgoNVmltkzdBwxOVXz0RsFMznIxB9zuarUv4TZg==", "dependencies": { - "@algolia/client-common": "4.19.1", - "@algolia/requester-common": "4.19.1", - "@algolia/transporter": "4.19.1" + "@algolia/client-common": "4.20.0", + "@algolia/requester-common": "4.20.0", + "@algolia/transporter": "4.20.0" } }, "node_modules/@algolia/events": { @@ -135,47 +135,47 @@ "integrity": "sha512-FQzvOCgoFXAbf5Y6mYozw2aj5KCJoA3m4heImceldzPSMbdyS4atVjJzXKMsfX3wnZTFYwkkt8/z8UesLHlSBQ==" }, "node_modules/@algolia/logger-common": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/logger-common/-/logger-common-4.19.1.tgz", - "integrity": "sha512-i6pLPZW/+/YXKis8gpmSiNk1lOmYCmRI6+x6d2Qk1OdfvX051nRVdalRbEcVTpSQX6FQAoyeaui0cUfLYW5Elw==" + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/logger-common/-/logger-common-4.20.0.tgz", + "integrity": "sha512-xouigCMB5WJYEwvoWW5XDv7Z9f0A8VoXJc3VKwlHJw/je+3p2RcDXfksLI4G4lIVncFUYMZx30tP/rsdlvvzHQ==" }, "node_modules/@algolia/logger-console": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/logger-console/-/logger-console-4.19.1.tgz", - "integrity": "sha512-jj72k9GKb9W0c7TyC3cuZtTr0CngLBLmc8trzZlXdfvQiigpUdvTi1KoWIb2ZMcRBG7Tl8hSb81zEY3zI2RlXg==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/logger-console/-/logger-console-4.20.0.tgz", + "integrity": "sha512-THlIGG1g/FS63z0StQqDhT6bprUczBI8wnLT3JWvfAQDZX5P6fCg7dG+pIrUBpDIHGszgkqYEqECaKKsdNKOUA==", "dependencies": { - "@algolia/logger-common": "4.19.1" + "@algolia/logger-common": "4.20.0" } }, "node_modules/@algolia/requester-browser-xhr": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-4.19.1.tgz", - "integrity": "sha512-09K/+t7lptsweRTueHnSnmPqIxbHMowejAkn9XIcJMLdseS3zl8ObnS5GWea86mu3vy4+8H+ZBKkUN82Zsq/zg==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-4.20.0.tgz", + "integrity": "sha512-HbzoSjcjuUmYOkcHECkVTwAelmvTlgs48N6Owt4FnTOQdwn0b8pdht9eMgishvk8+F8bal354nhx/xOoTfwiAw==", "dependencies": { - "@algolia/requester-common": "4.19.1" + "@algolia/requester-common": "4.20.0" } }, "node_modules/@algolia/requester-common": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/requester-common/-/requester-common-4.19.1.tgz", - "integrity": "sha512-BisRkcWVxrDzF1YPhAckmi2CFYK+jdMT60q10d7z3PX+w6fPPukxHRnZwooiTUrzFe50UBmLItGizWHP5bDzVQ==" + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-common/-/requester-common-4.20.0.tgz", + "integrity": "sha512-9h6ye6RY/BkfmeJp7Z8gyyeMrmmWsMOCRBXQDs4mZKKsyVlfIVICpcSibbeYcuUdurLhIlrOUkH3rQEgZzonng==" }, "node_modules/@algolia/requester-node-http": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-4.19.1.tgz", - "integrity": "sha512-6DK52DHviBHTG2BK/Vv2GIlEw7i+vxm7ypZW0Z7vybGCNDeWzADx+/TmxjkES2h15+FZOqVf/Ja677gePsVItA==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-4.20.0.tgz", + "integrity": "sha512-ocJ66L60ABSSTRFnCHIEZpNHv6qTxsBwJEPfYaSBsLQodm0F9ptvalFkHMpvj5DfE22oZrcrLbOYM2bdPJRHng==", "dependencies": { - "@algolia/requester-common": "4.19.1" + "@algolia/requester-common": "4.20.0" } }, "node_modules/@algolia/transporter": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/transporter/-/transporter-4.19.1.tgz", - "integrity": "sha512-nkpvPWbpuzxo1flEYqNIbGz7xhfhGOKGAZS7tzC+TELgEmi7z99qRyTfNSUlW7LZmB3ACdnqAo+9A9KFBENviQ==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/transporter/-/transporter-4.20.0.tgz", + "integrity": "sha512-Lsii1pGWOAISbzeyuf+r/GPhvHMPHSPrTDWNcIzOE1SG1inlJHICaVe2ikuoRjcpgxZNU54Jl+if15SUCsaTUg==", "dependencies": { - "@algolia/cache-common": "4.19.1", - "@algolia/logger-common": "4.19.1", - "@algolia/requester-common": "4.19.1" + "@algolia/cache-common": "4.20.0", + "@algolia/logger-common": "4.20.0", + "@algolia/requester-common": "4.20.0" } }, "node_modules/@ampproject/remapping": { @@ -2159,9 +2159,9 @@ } }, "node_modules/@docusaurus/core": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/core/-/core-2.4.1.tgz", - "integrity": "sha512-SNsY7PshK3Ri7vtsLXVeAJGS50nJN3RgF836zkyUfAD01Fq+sAk5EwWgLw+nnm5KVNGDu7PRR2kRGDsWvqpo0g==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/core/-/core-2.4.3.tgz", + "integrity": "sha512-dWH5P7cgeNSIg9ufReX6gaCl/TmrGKD38Orbwuz05WPhAQtFXHd5B8Qym1TiXfvUNvwoYKkAJOJuGe8ou0Z7PA==", "dependencies": { "@babel/core": "^7.18.6", "@babel/generator": "^7.18.7", @@ -2173,13 +2173,13 @@ "@babel/runtime": "^7.18.6", "@babel/runtime-corejs3": "^7.18.6", "@babel/traverse": "^7.18.8", - "@docusaurus/cssnano-preset": "2.4.1", - "@docusaurus/logger": "2.4.1", - "@docusaurus/mdx-loader": "2.4.1", + "@docusaurus/cssnano-preset": "2.4.3", + "@docusaurus/logger": "2.4.3", + "@docusaurus/mdx-loader": "2.4.3", "@docusaurus/react-loadable": "5.5.2", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-common": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-common": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "@slorber/static-site-generator-webpack-plugin": "^4.0.7", "@svgr/webpack": "^6.2.1", "autoprefixer": "^10.4.7", @@ -2382,9 +2382,9 @@ } }, "node_modules/@docusaurus/cssnano-preset": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/cssnano-preset/-/cssnano-preset-2.4.1.tgz", - "integrity": "sha512-ka+vqXwtcW1NbXxWsh6yA1Ckii1klY9E53cJ4O9J09nkMBgrNX3iEFED1fWdv8wf4mJjvGi5RLZ2p9hJNjsLyQ==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/cssnano-preset/-/cssnano-preset-2.4.3.tgz", + "integrity": "sha512-ZvGSRCi7z9wLnZrXNPG6DmVPHdKGd8dIn9pYbEOFiYihfv4uDR3UtxogmKf+rT8ZlKFf5Lqne8E8nt08zNM8CA==", "dependencies": { "cssnano-preset-advanced": "^5.3.8", "postcss": "^8.4.14", @@ -2401,9 +2401,9 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/logger": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/logger/-/logger-2.4.1.tgz", - "integrity": "sha512-5h5ysIIWYIDHyTVd8BjheZmQZmEgWDR54aQ1BX9pjFfpyzFo5puKXKYrYJXbjEHGyVhEzmB9UXwbxGfaZhOjcg==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/logger/-/logger-2.4.3.tgz", + "integrity": "sha512-Zxws7r3yLufk9xM1zq9ged0YHs65mlRmtsobnFkdZTxWXdTYlWWLWdKyNKAsVC+D7zg+pv2fGbyabdOnyZOM3w==", "dependencies": { "chalk": "^4.1.2", "tslib": "^2.4.0" @@ -2418,14 +2418,14 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/mdx-loader": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/mdx-loader/-/mdx-loader-2.4.1.tgz", - "integrity": "sha512-4KhUhEavteIAmbBj7LVFnrVYDiU51H5YWW1zY6SmBSte/YLhDutztLTBE0PQl1Grux1jzUJeaSvAzHpTn6JJDQ==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/mdx-loader/-/mdx-loader-2.4.3.tgz", + "integrity": "sha512-b1+fDnWtl3GiqkL0BRjYtc94FZrcDDBV1j8446+4tptB9BAOlePwG2p/pK6vGvfL53lkOsszXMghr2g67M0vCw==", "dependencies": { "@babel/parser": "^7.18.8", "@babel/traverse": "^7.18.8", - "@docusaurus/logger": "2.4.1", - "@docusaurus/utils": "2.4.1", + "@docusaurus/logger": "2.4.3", + "@docusaurus/utils": "2.4.3", "@mdx-js/mdx": "^1.6.22", "escape-html": "^1.0.3", "file-loader": "^6.2.0", @@ -2454,12 +2454,12 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/module-type-aliases": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/module-type-aliases/-/module-type-aliases-2.4.1.tgz", - "integrity": "sha512-gLBuIFM8Dp2XOCWffUDSjtxY7jQgKvYujt7Mx5s4FCTfoL5dN1EVbnrn+O2Wvh8b0a77D57qoIDY7ghgmatR1A==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/module-type-aliases/-/module-type-aliases-2.4.3.tgz", + "integrity": "sha512-cwkBkt1UCiduuvEAo7XZY01dJfRn7UR/75mBgOdb1hKknhrabJZ8YH+7savd/y9kLExPyrhe0QwdS9GuzsRRIA==", "dependencies": { "@docusaurus/react-loadable": "5.5.2", - "@docusaurus/types": "2.4.1", + "@docusaurus/types": "2.4.3", "@types/history": "^4.7.11", "@types/react": "*", "@types/react-router-config": "*", @@ -2473,17 +2473,17 @@ } }, "node_modules/@docusaurus/plugin-content-blog": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-blog/-/plugin-content-blog-2.4.1.tgz", - "integrity": "sha512-E2i7Knz5YIbE1XELI6RlTnZnGgS52cUO4BlCiCUCvQHbR+s1xeIWz4C6BtaVnlug0Ccz7nFSksfwDpVlkujg5Q==", - "dependencies": { - "@docusaurus/core": "2.4.1", - "@docusaurus/logger": "2.4.1", - "@docusaurus/mdx-loader": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-common": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-blog/-/plugin-content-blog-2.4.3.tgz", + "integrity": "sha512-PVhypqaA0t98zVDpOeTqWUTvRqCEjJubtfFUQ7zJNYdbYTbS/E/ytq6zbLVsN/dImvemtO/5JQgjLxsh8XLo8Q==", + "dependencies": { + "@docusaurus/core": "2.4.3", + "@docusaurus/logger": "2.4.3", + "@docusaurus/mdx-loader": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-common": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "cheerio": "^1.0.0-rc.12", "feed": "^4.2.2", "fs-extra": "^10.1.0", @@ -2508,17 +2508,17 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/plugin-content-docs": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-docs/-/plugin-content-docs-2.4.1.tgz", - "integrity": "sha512-Lo7lSIcpswa2Kv4HEeUcGYqaasMUQNpjTXpV0N8G6jXgZaQurqp7E8NGYeGbDXnb48czmHWbzDL4S3+BbK0VzA==", - "dependencies": { - "@docusaurus/core": "2.4.1", - "@docusaurus/logger": "2.4.1", - "@docusaurus/mdx-loader": "2.4.1", - "@docusaurus/module-type-aliases": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-docs/-/plugin-content-docs-2.4.3.tgz", + "integrity": "sha512-N7Po2LSH6UejQhzTCsvuX5NOzlC+HiXOVvofnEPj0WhMu1etpLEXE6a4aTxrtg95lQ5kf0xUIdjX9sh3d3G76A==", + "dependencies": { + "@docusaurus/core": "2.4.3", + "@docusaurus/logger": "2.4.3", + "@docusaurus/mdx-loader": "2.4.3", + "@docusaurus/module-type-aliases": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "@types/react-router-config": "^5.0.6", "combine-promises": "^1.1.0", "fs-extra": "^10.1.0", @@ -2543,15 +2543,15 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/plugin-content-pages": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-pages/-/plugin-content-pages-2.4.1.tgz", - "integrity": "sha512-/UjuH/76KLaUlL+o1OvyORynv6FURzjurSjvn2lbWTFc4tpYY2qLYTlKpTCBVPhlLUQsfyFnshEJDLmPneq2oA==", - "dependencies": { - "@docusaurus/core": "2.4.1", - "@docusaurus/mdx-loader": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-pages/-/plugin-content-pages-2.4.3.tgz", + "integrity": "sha512-txtDVz7y3zGk67q0HjG0gRttVPodkHqE0bpJ+7dOaTH40CQFLSh7+aBeGnPOTl+oCPG+hxkim4SndqPqXjQ8Bg==", + "dependencies": { + "@docusaurus/core": "2.4.3", + "@docusaurus/mdx-loader": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "fs-extra": "^10.1.0", "tslib": "^2.4.0", "webpack": "^5.73.0" @@ -2570,13 +2570,13 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/plugin-debug": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-debug/-/plugin-debug-2.4.1.tgz", - "integrity": "sha512-7Yu9UPzRShlrH/G8btOpR0e6INFZr0EegWplMjOqelIwAcx3PKyR8mgPTxGTxcqiYj6hxSCRN0D8R7YrzImwNA==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-debug/-/plugin-debug-2.4.3.tgz", + "integrity": "sha512-LkUbuq3zCmINlFb+gAd4ZvYr+bPAzMC0hwND4F7V9bZ852dCX8YoWyovVUBKq4er1XsOwSQaHmNGtObtn8Av8Q==", "dependencies": { - "@docusaurus/core": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils": "2.4.1", + "@docusaurus/core": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils": "2.4.3", "fs-extra": "^10.1.0", "react-json-view": "^1.21.3", "tslib": "^2.4.0" @@ -2595,13 +2595,13 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/plugin-google-analytics": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-analytics/-/plugin-google-analytics-2.4.1.tgz", - "integrity": "sha512-dyZJdJiCoL+rcfnm0RPkLt/o732HvLiEwmtoNzOoz9MSZz117UH2J6U2vUDtzUzwtFLIf32KkeyzisbwUCgcaQ==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-analytics/-/plugin-google-analytics-2.4.3.tgz", + "integrity": "sha512-KzBV3k8lDkWOhg/oYGxlK5o9bOwX7KpPc/FTWoB+SfKhlHfhq7qcQdMi1elAaVEIop8tgK6gD1E58Q+XC6otSQ==", "dependencies": { - "@docusaurus/core": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "@docusaurus/core": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "tslib": "^2.4.0" }, "engines": { @@ -2618,13 +2618,13 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/plugin-google-gtag": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-gtag/-/plugin-google-gtag-2.4.1.tgz", - "integrity": "sha512-mKIefK+2kGTQBYvloNEKtDmnRD7bxHLsBcxgnbt4oZwzi2nxCGjPX6+9SQO2KCN5HZbNrYmGo5GJfMgoRvy6uA==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-gtag/-/plugin-google-gtag-2.4.3.tgz", + "integrity": "sha512-5FMg0rT7sDy4i9AGsvJC71MQrqQZwgLNdDetLEGDHLfSHLvJhQbTCUGbGXknUgWXQJckcV/AILYeJy+HhxeIFA==", "dependencies": { - "@docusaurus/core": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "@docusaurus/core": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "tslib": "^2.4.0" }, "engines": { @@ -2641,13 +2641,13 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/plugin-google-tag-manager": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-tag-manager/-/plugin-google-tag-manager-2.4.1.tgz", - "integrity": "sha512-Zg4Ii9CMOLfpeV2nG74lVTWNtisFaH9QNtEw48R5QE1KIwDBdTVaiSA18G1EujZjrzJJzXN79VhINSbOJO/r3g==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-tag-manager/-/plugin-google-tag-manager-2.4.3.tgz", + "integrity": "sha512-1jTzp71yDGuQiX9Bi0pVp3alArV0LSnHXempvQTxwCGAEzUWWaBg4d8pocAlTpbP9aULQQqhgzrs8hgTRPOM0A==", "dependencies": { - "@docusaurus/core": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "@docusaurus/core": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "tslib": "^2.4.0" }, "engines": { @@ -2664,16 +2664,16 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/plugin-sitemap": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-sitemap/-/plugin-sitemap-2.4.1.tgz", - "integrity": "sha512-lZx+ijt/+atQ3FVE8FOHV/+X3kuok688OydDXrqKRJyXBJZKgGjA2Qa8RjQ4f27V2woaXhtnyrdPop/+OjVMRg==", - "dependencies": { - "@docusaurus/core": "2.4.1", - "@docusaurus/logger": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-common": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-sitemap/-/plugin-sitemap-2.4.3.tgz", + "integrity": "sha512-LRQYrK1oH1rNfr4YvWBmRzTL0LN9UAPxBbghgeFRBm5yloF6P+zv1tm2pe2hQTX/QP5bSKdnajCvfnScgKXMZQ==", + "dependencies": { + "@docusaurus/core": "2.4.3", + "@docusaurus/logger": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-common": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "fs-extra": "^10.1.0", "sitemap": "^7.1.1", "tslib": "^2.4.0" @@ -2692,23 +2692,23 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/preset-classic": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/preset-classic/-/preset-classic-2.4.1.tgz", - "integrity": "sha512-P4//+I4zDqQJ+UDgoFrjIFaQ1MeS9UD1cvxVQaI6O7iBmiHQm0MGROP1TbE7HlxlDPXFJjZUK3x3cAoK63smGQ==", - "dependencies": { - "@docusaurus/core": "2.4.1", - "@docusaurus/plugin-content-blog": "2.4.1", - "@docusaurus/plugin-content-docs": "2.4.1", - "@docusaurus/plugin-content-pages": "2.4.1", - "@docusaurus/plugin-debug": "2.4.1", - "@docusaurus/plugin-google-analytics": "2.4.1", - "@docusaurus/plugin-google-gtag": "2.4.1", - "@docusaurus/plugin-google-tag-manager": "2.4.1", - "@docusaurus/plugin-sitemap": "2.4.1", - "@docusaurus/theme-classic": "2.4.1", - "@docusaurus/theme-common": "2.4.1", - "@docusaurus/theme-search-algolia": "2.4.1", - "@docusaurus/types": "2.4.1" + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/preset-classic/-/preset-classic-2.4.3.tgz", + "integrity": "sha512-tRyMliepY11Ym6hB1rAFSNGwQDpmszvWYJvlK1E+md4SW8i6ylNHtpZjaYFff9Mdk3i/Pg8ItQq9P0daOJAvQw==", + "dependencies": { + "@docusaurus/core": "2.4.3", + "@docusaurus/plugin-content-blog": "2.4.3", + "@docusaurus/plugin-content-docs": "2.4.3", + "@docusaurus/plugin-content-pages": "2.4.3", + "@docusaurus/plugin-debug": "2.4.3", + "@docusaurus/plugin-google-analytics": "2.4.3", + "@docusaurus/plugin-google-gtag": "2.4.3", + "@docusaurus/plugin-google-tag-manager": "2.4.3", + "@docusaurus/plugin-sitemap": "2.4.3", + "@docusaurus/theme-classic": "2.4.3", + "@docusaurus/theme-common": "2.4.3", + "@docusaurus/theme-search-algolia": "2.4.3", + "@docusaurus/types": "2.4.3" }, "engines": { "node": ">=16.14" @@ -2731,22 +2731,22 @@ } }, "node_modules/@docusaurus/theme-classic": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-classic/-/theme-classic-2.4.1.tgz", - "integrity": "sha512-Rz0wKUa+LTW1PLXmwnf8mn85EBzaGSt6qamqtmnh9Hflkc+EqiYMhtUJeLdV+wsgYq4aG0ANc+bpUDpsUhdnwg==", - "dependencies": { - "@docusaurus/core": "2.4.1", - "@docusaurus/mdx-loader": "2.4.1", - "@docusaurus/module-type-aliases": "2.4.1", - "@docusaurus/plugin-content-blog": "2.4.1", - "@docusaurus/plugin-content-docs": "2.4.1", - "@docusaurus/plugin-content-pages": "2.4.1", - "@docusaurus/theme-common": "2.4.1", - "@docusaurus/theme-translations": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-common": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-classic/-/theme-classic-2.4.3.tgz", + "integrity": "sha512-QKRAJPSGPfDY2yCiPMIVyr+MqwZCIV2lxNzqbyUW0YkrlmdzzP3WuQJPMGLCjWgQp/5c9kpWMvMxjhpZx1R32Q==", + "dependencies": { + "@docusaurus/core": "2.4.3", + "@docusaurus/mdx-loader": "2.4.3", + "@docusaurus/module-type-aliases": "2.4.3", + "@docusaurus/plugin-content-blog": "2.4.3", + "@docusaurus/plugin-content-docs": "2.4.3", + "@docusaurus/plugin-content-pages": "2.4.3", + "@docusaurus/theme-common": "2.4.3", + "@docusaurus/theme-translations": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-common": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "@mdx-js/react": "^1.6.22", "clsx": "^1.2.1", "copy-text-to-clipboard": "^3.0.1", @@ -2775,17 +2775,17 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/theme-common": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-common/-/theme-common-2.4.1.tgz", - "integrity": "sha512-G7Zau1W5rQTaFFB3x3soQoZpkgMbl/SYNG8PfMFIjKa3M3q8n0m/GRf5/H/e5BqOvt8c+ZWIXGCiz+kUCSHovA==", - "dependencies": { - "@docusaurus/mdx-loader": "2.4.1", - "@docusaurus/module-type-aliases": "2.4.1", - "@docusaurus/plugin-content-blog": "2.4.1", - "@docusaurus/plugin-content-docs": "2.4.1", - "@docusaurus/plugin-content-pages": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-common": "2.4.1", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-common/-/theme-common-2.4.3.tgz", + "integrity": "sha512-7KaDJBXKBVGXw5WOVt84FtN8czGWhM0lbyWEZXGp8AFfL6sZQfRTluFp4QriR97qwzSyOfQb+nzcDZZU4tezUw==", + "dependencies": { + "@docusaurus/mdx-loader": "2.4.3", + "@docusaurus/module-type-aliases": "2.4.3", + "@docusaurus/plugin-content-blog": "2.4.3", + "@docusaurus/plugin-content-docs": "2.4.3", + "@docusaurus/plugin-content-pages": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-common": "2.4.3", "@types/history": "^4.7.11", "@types/react": "*", "@types/react-router-config": "*", @@ -2810,18 +2810,18 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/theme-search-algolia": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-search-algolia/-/theme-search-algolia-2.4.1.tgz", - "integrity": "sha512-6BcqW2lnLhZCXuMAvPRezFs1DpmEKzXFKlYjruuas+Xy3AQeFzDJKTJFIm49N77WFCTyxff8d3E4Q9pi/+5McQ==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-search-algolia/-/theme-search-algolia-2.4.3.tgz", + "integrity": "sha512-jziq4f6YVUB5hZOB85ELATwnxBz/RmSLD3ksGQOLDPKVzat4pmI8tddNWtriPpxR04BNT+ZfpPUMFkNFetSW1Q==", "dependencies": { "@docsearch/react": "^3.1.1", - "@docusaurus/core": "2.4.1", - "@docusaurus/logger": "2.4.1", - "@docusaurus/plugin-content-docs": "2.4.1", - "@docusaurus/theme-common": "2.4.1", - "@docusaurus/theme-translations": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "@docusaurus/core": "2.4.3", + "@docusaurus/logger": "2.4.3", + "@docusaurus/plugin-content-docs": "2.4.3", + "@docusaurus/theme-common": "2.4.3", + "@docusaurus/theme-translations": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "algoliasearch": "^4.13.1", "algoliasearch-helper": "^3.10.0", "clsx": "^1.2.1", @@ -2845,9 +2845,9 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/theme-translations": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-translations/-/theme-translations-2.4.1.tgz", - "integrity": "sha512-T1RAGP+f86CA1kfE8ejZ3T3pUU3XcyvrGMfC/zxCtc2BsnoexuNI9Vk2CmuKCb+Tacvhxjv5unhxXce0+NKyvA==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-translations/-/theme-translations-2.4.3.tgz", + "integrity": "sha512-H4D+lbZbjbKNS/Zw1Lel64PioUAIT3cLYYJLUf3KkuO/oc9e0QCVhIYVtUI2SfBCF2NNdlyhBDQEEMygsCedIg==", "dependencies": { "fs-extra": "^10.1.0", "tslib": "^2.4.0" @@ -2862,9 +2862,9 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/types": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/types/-/types-2.4.1.tgz", - "integrity": "sha512-0R+cbhpMkhbRXX138UOc/2XZFF8hiZa6ooZAEEJFp5scytzCw4tC1gChMFXrpa3d2tYE6AX8IrOEpSonLmfQuQ==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/types/-/types-2.4.3.tgz", + "integrity": "sha512-W6zNLGQqfrp/EoPD0bhb9n7OobP+RHpmvVzpA+Z/IuU3Q63njJM24hmT0GYboovWcDtFmnIJC9wcyx4RVPQscw==", "dependencies": { "@types/history": "^4.7.11", "@types/react": "*", @@ -2881,11 +2881,11 @@ } }, "node_modules/@docusaurus/utils": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/utils/-/utils-2.4.1.tgz", - "integrity": "sha512-1lvEZdAQhKNht9aPXPoh69eeKnV0/62ROhQeFKKxmzd0zkcuE/Oc5Gpnt00y/f5bIsmOsYMY7Pqfm/5rteT5GA==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/utils/-/utils-2.4.3.tgz", + "integrity": "sha512-fKcXsjrD86Smxv8Pt0TBFqYieZZCPh4cbf9oszUq/AMhZn3ujwpKaVYZACPX8mmjtYx0JOgNx52CREBfiGQB4A==", "dependencies": { - "@docusaurus/logger": "2.4.1", + "@docusaurus/logger": "2.4.3", "@svgr/webpack": "^6.2.1", "escape-string-regexp": "^4.0.0", "file-loader": "^6.2.0", @@ -2915,9 +2915,9 @@ } }, "node_modules/@docusaurus/utils-common": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/utils-common/-/utils-common-2.4.1.tgz", - "integrity": "sha512-bCVGdZU+z/qVcIiEQdyx0K13OC5mYwxhSuDUR95oFbKVuXYRrTVrwZIqQljuo1fyJvFTKHiL9L9skQOPokuFNQ==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/utils-common/-/utils-common-2.4.3.tgz", + "integrity": "sha512-/jascp4GbLQCPVmcGkPzEQjNaAk3ADVfMtudk49Ggb+131B1WDD6HqlSmDf8MxGdy7Dja2gc+StHf01kiWoTDQ==", "dependencies": { "tslib": "^2.4.0" }, @@ -2939,12 +2939,12 @@ "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==" }, "node_modules/@docusaurus/utils-validation": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/utils-validation/-/utils-validation-2.4.1.tgz", - "integrity": "sha512-unII3hlJlDwZ3w8U+pMO3Lx3RhI4YEbY3YNsQj4yzrkZzlpqZOLuAiZK2JyULnD+TKbceKU0WyWkQXtYbLNDFA==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/utils-validation/-/utils-validation-2.4.3.tgz", + "integrity": "sha512-G2+Vt3WR5E/9drAobP+hhZQMaswRwDlp6qOMi7o7ZypB+VO7N//DZWhZEwhcRGepMDJGQEwtPv7UxtYwPL9PBw==", "dependencies": { - "@docusaurus/logger": "2.4.1", - "@docusaurus/utils": "2.4.1", + "@docusaurus/logger": "2.4.3", + "@docusaurus/utils": "2.4.3", "joi": "^17.6.0", "js-yaml": "^4.1.0", "tslib": "^2.4.0" @@ -4019,9 +4019,9 @@ "integrity": "sha512-wWKOClTTiizcZhXnPY4wikVAwmdYHp8q6DmC+EJUzAMsycb7HB32Kh9RN4+0gExjmPmZSAQjgURXIGATPegAvA==" }, "node_modules/@types/sax": { - "version": "1.2.4", - "resolved": "https://registry.npmjs.org/@types/sax/-/sax-1.2.4.tgz", - "integrity": "sha512-pSAff4IAxJjfAXUG6tFkO7dsSbTmf8CtUpfhhZ5VhkRpC4628tJhh3+V6H1E+/Gs9piSzYKT5yzHO5M4GG9jkw==", + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/@types/sax/-/sax-1.2.6.tgz", + "integrity": "sha512-A1mpYCYu1aHFayy8XKN57ebXeAbh9oQIZ1wXcno6b1ESUAfMBDMx7mf/QGlYwcMRaFryh9YBuH03i/3FlPGDkQ==", "dependencies": { "@types/node": "*" } @@ -4352,30 +4352,30 @@ } }, "node_modules/algoliasearch": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/algoliasearch/-/algoliasearch-4.19.1.tgz", - "integrity": "sha512-IJF5b93b2MgAzcE/tuzW0yOPnuUyRgGAtaPv5UUywXM8kzqfdwZTO4sPJBzoGz1eOy6H9uEchsJsBFTELZSu+g==", - "dependencies": { - "@algolia/cache-browser-local-storage": "4.19.1", - "@algolia/cache-common": "4.19.1", - "@algolia/cache-in-memory": "4.19.1", - "@algolia/client-account": "4.19.1", - "@algolia/client-analytics": "4.19.1", - "@algolia/client-common": "4.19.1", - "@algolia/client-personalization": "4.19.1", - "@algolia/client-search": "4.19.1", - "@algolia/logger-common": "4.19.1", - "@algolia/logger-console": "4.19.1", - "@algolia/requester-browser-xhr": "4.19.1", - "@algolia/requester-common": "4.19.1", - "@algolia/requester-node-http": "4.19.1", - "@algolia/transporter": "4.19.1" + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/algoliasearch/-/algoliasearch-4.20.0.tgz", + "integrity": "sha512-y+UHEjnOItoNy0bYO+WWmLWBlPwDjKHW6mNHrPi0NkuhpQOOEbrkwQH/wgKFDLh7qlKjzoKeiRtlpewDPDG23g==", + "dependencies": { + "@algolia/cache-browser-local-storage": "4.20.0", + "@algolia/cache-common": "4.20.0", + "@algolia/cache-in-memory": "4.20.0", + "@algolia/client-account": "4.20.0", + "@algolia/client-analytics": "4.20.0", + "@algolia/client-common": "4.20.0", + "@algolia/client-personalization": "4.20.0", + "@algolia/client-search": "4.20.0", + "@algolia/logger-common": "4.20.0", + "@algolia/logger-console": "4.20.0", + "@algolia/requester-browser-xhr": "4.20.0", + "@algolia/requester-common": "4.20.0", + "@algolia/requester-node-http": "4.20.0", + "@algolia/transporter": "4.20.0" } }, "node_modules/algoliasearch-helper": { - "version": "3.14.0", - "resolved": "https://registry.npmjs.org/algoliasearch-helper/-/algoliasearch-helper-3.14.0.tgz", - "integrity": "sha512-gXDXzsSS0YANn5dHr71CUXOo84cN4azhHKUbg71vAWnH+1JBiR4jf7to3t3JHXknXkbV0F7f055vUSBKrltHLQ==", + "version": "3.15.0", + "resolved": "https://registry.npmjs.org/algoliasearch-helper/-/algoliasearch-helper-3.15.0.tgz", + "integrity": "sha512-DGUnK3TGtDQsaUE4ayF/LjSN0DGsuYThB8WBgnnDY0Wq04K6lNVruO3LfqJOgSfDiezp+Iyt8Tj4YKHi+/ivSA==", "dependencies": { "@algolia/events": "^4.0.1" }, @@ -4473,9 +4473,9 @@ } }, "node_modules/autoprefixer": { - "version": "10.4.15", - "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.15.tgz", - "integrity": "sha512-KCuPB8ZCIqFdA4HwKXsvz7j6gvSDNhDP7WnUjBleRkKjPdvCmHFuQ77ocavI8FT6NdvlBnE2UFr2H4Mycn8Vew==", + "version": "10.4.16", + "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.16.tgz", + "integrity": "sha512-7vd3UC6xKp0HLfua5IjZlcXvGAGy7cBAXTg2lyQ/8WpNhd6SiZ8Be+xm3FyBSYJx5GKcpRCzBh7RH4/0dnY+uQ==", "funding": [ { "type": "opencollective", @@ -4492,8 +4492,8 @@ ], "dependencies": { "browserslist": "^4.21.10", - "caniuse-lite": "^1.0.30001520", - "fraction.js": "^4.2.0", + "caniuse-lite": "^1.0.30001538", + "fraction.js": "^4.3.6", "normalize-range": "^0.1.2", "picocolors": "^1.0.0", "postcss-value-parser": "^4.2.0" @@ -4921,9 +4921,9 @@ } }, "node_modules/caniuse-lite": { - "version": "1.0.30001529", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001529.tgz", - "integrity": "sha512-n2pUQYGAkrLG4QYj2desAh+NqsJpHbNmVZz87imptDdxLAtjxary7Df/psdfyDGmskJK/9Dt9cPnx5RZ3CU4Og==", + "version": "1.0.30001554", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001554.tgz", + "integrity": "sha512-A2E3U//MBwbJVzebddm1YfNp7Nud5Ip+IPn4BozBmn4KqVX7AvluoIDFWjsv5OkGnKUXQVmMSoMKLa3ScCblcQ==", "funding": [ { "type": "opencollective", @@ -6956,9 +6956,9 @@ } }, "node_modules/fraction.js": { - "version": "4.3.6", - "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-4.3.6.tgz", - "integrity": "sha512-n2aZ9tNfYDwaHhvFTkhFErqOMIb8uyzSQ+vGJBjZyanAKZVbGUQ1sngfk9FdkBw7G26O7AgNjLcecLffD1c7eg==", + "version": "4.3.7", + "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-4.3.7.tgz", + "integrity": "sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew==", "engines": { "node": "*" }, @@ -11076,9 +11076,9 @@ } }, "node_modules/search-insights": { - "version": "2.8.2", - "resolved": "https://registry.npmjs.org/search-insights/-/search-insights-2.8.2.tgz", - "integrity": "sha512-PxA9M5Q2bpBelVvJ3oDZR8nuY00Z6qwOxL53wNpgzV28M/D6u9WUbImDckjLSILBF8F1hn/mgyuUaOPtjow4Qw==", + "version": "2.9.0", + "resolved": "https://registry.npmjs.org/search-insights/-/search-insights-2.9.0.tgz", + "integrity": "sha512-bkWW9nIHOFkLwjQ1xqVaMbjjO5vhP26ERsH9Y3pKr8imthofEFIxlnOabkmGcw6ksRj9jWidcI65vvjJH/nTGg==", "peer": true }, "node_modules/section-matter": { @@ -11954,9 +11954,9 @@ } }, "node_modules/ua-parser-js": { - "version": "1.0.35", - "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-1.0.35.tgz", - "integrity": "sha512-fKnGuqmTBnIE+/KXSzCn4db8RTigUzw1AN0DmdU6hJovUTbYJKyqj+8Mt1c4VfRDnOVJnENmfYkIPZ946UrSAA==", + "version": "1.0.36", + "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-1.0.36.tgz", + "integrity": "sha512-znuyCIXzl8ciS3+y3fHJI/2OhQIXbXw9MWC/o3qwyR+RGppjZHrM27CGFSKCJXi2Kctiz537iOu2KnXs1lMQhw==", "funding": [ { "type": "opencollective", @@ -11965,6 +11965,10 @@ { "type": "paypal", "url": "https://paypal.me/faisalman" + }, + { + "type": "github", + "url": "https://github.com/sponsors/faisalman" } ], "engines": { @@ -13012,74 +13016,74 @@ "requires": {} }, "@algolia/cache-browser-local-storage": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/cache-browser-local-storage/-/cache-browser-local-storage-4.19.1.tgz", - "integrity": "sha512-FYAZWcGsFTTaSAwj9Std8UML3Bu8dyWDncM7Ls8g+58UOe4XYdlgzXWbrIgjaguP63pCCbMoExKr61B+ztK3tw==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/cache-browser-local-storage/-/cache-browser-local-storage-4.20.0.tgz", + "integrity": "sha512-uujahcBt4DxduBTvYdwO3sBfHuJvJokiC3BP1+O70fglmE1ShkH8lpXqZBac1rrU3FnNYSUs4pL9lBdTKeRPOQ==", "requires": { - "@algolia/cache-common": "4.19.1" + "@algolia/cache-common": "4.20.0" } }, "@algolia/cache-common": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/cache-common/-/cache-common-4.19.1.tgz", - "integrity": "sha512-XGghi3l0qA38HiqdoUY+wvGyBsGvKZ6U3vTiMBT4hArhP3fOGLXpIINgMiiGjTe4FVlTa5a/7Zf2bwlIHfRqqg==" + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/cache-common/-/cache-common-4.20.0.tgz", + "integrity": "sha512-vCfxauaZutL3NImzB2G9LjLt36vKAckc6DhMp05An14kVo8F1Yofb6SIl6U3SaEz8pG2QOB9ptwM5c+zGevwIQ==" }, "@algolia/cache-in-memory": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/cache-in-memory/-/cache-in-memory-4.19.1.tgz", - "integrity": "sha512-+PDWL+XALGvIginigzu8oU6eWw+o76Z8zHbBovWYcrtWOEtinbl7a7UTt3x3lthv+wNuFr/YD1Gf+B+A9V8n5w==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/cache-in-memory/-/cache-in-memory-4.20.0.tgz", + "integrity": "sha512-Wm9ak/IaacAZXS4mB3+qF/KCoVSBV6aLgIGFEtQtJwjv64g4ePMapORGmCyulCFwfePaRAtcaTbMcJF+voc/bg==", "requires": { - "@algolia/cache-common": "4.19.1" + "@algolia/cache-common": "4.20.0" } }, "@algolia/client-account": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/client-account/-/client-account-4.19.1.tgz", - "integrity": "sha512-Oy0ritA2k7AMxQ2JwNpfaEcgXEDgeyKu0V7E7xt/ZJRdXfEpZcwp9TOg4TJHC7Ia62gIeT2Y/ynzsxccPw92GA==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/client-account/-/client-account-4.20.0.tgz", + "integrity": "sha512-GGToLQvrwo7am4zVkZTnKa72pheQeez/16sURDWm7Seyz+HUxKi3BM6fthVVPUEBhtJ0reyVtuK9ArmnaKl10Q==", "requires": { - "@algolia/client-common": "4.19.1", - "@algolia/client-search": "4.19.1", - "@algolia/transporter": "4.19.1" + "@algolia/client-common": "4.20.0", + "@algolia/client-search": "4.20.0", + "@algolia/transporter": "4.20.0" } }, "@algolia/client-analytics": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/client-analytics/-/client-analytics-4.19.1.tgz", - "integrity": "sha512-5QCq2zmgdZLIQhHqwl55ZvKVpLM3DNWjFI4T+bHr3rGu23ew2bLO4YtyxaZeChmDb85jUdPDouDlCumGfk6wOg==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/client-analytics/-/client-analytics-4.20.0.tgz", + "integrity": "sha512-EIr+PdFMOallRdBTHHdKI3CstslgLORQG7844Mq84ib5oVFRVASuuPmG4bXBgiDbcsMLUeOC6zRVJhv1KWI0ug==", "requires": { - "@algolia/client-common": "4.19.1", - "@algolia/client-search": "4.19.1", - "@algolia/requester-common": "4.19.1", - "@algolia/transporter": "4.19.1" + "@algolia/client-common": "4.20.0", + "@algolia/client-search": "4.20.0", + "@algolia/requester-common": "4.20.0", + "@algolia/transporter": "4.20.0" } }, "@algolia/client-common": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-4.19.1.tgz", - "integrity": "sha512-3kAIVqTcPrjfS389KQvKzliC559x+BDRxtWamVJt8IVp7LGnjq+aVAXg4Xogkur1MUrScTZ59/AaUd5EdpyXgA==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-4.20.0.tgz", + "integrity": "sha512-P3WgMdEss915p+knMMSd/fwiHRHKvDu4DYRrCRaBrsfFw7EQHon+EbRSm4QisS9NYdxbS04kcvNoavVGthyfqQ==", "requires": { - "@algolia/requester-common": "4.19.1", - "@algolia/transporter": "4.19.1" + "@algolia/requester-common": "4.20.0", + "@algolia/transporter": "4.20.0" } }, "@algolia/client-personalization": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/client-personalization/-/client-personalization-4.19.1.tgz", - "integrity": "sha512-8CWz4/H5FA+krm9HMw2HUQenizC/DxUtsI5oYC0Jxxyce1vsr8cb1aEiSJArQT6IzMynrERif1RVWLac1m36xw==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/client-personalization/-/client-personalization-4.20.0.tgz", + "integrity": "sha512-N9+zx0tWOQsLc3K4PVRDV8GUeOLAY0i445En79Pr3zWB+m67V+n/8w4Kw1C5LlbHDDJcyhMMIlqezh6BEk7xAQ==", "requires": { - "@algolia/client-common": "4.19.1", - "@algolia/requester-common": "4.19.1", - "@algolia/transporter": "4.19.1" + "@algolia/client-common": "4.20.0", + "@algolia/requester-common": "4.20.0", + "@algolia/transporter": "4.20.0" } }, "@algolia/client-search": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/client-search/-/client-search-4.19.1.tgz", - "integrity": "sha512-mBecfMFS4N+yK/p0ZbK53vrZbL6OtWMk8YmnOv1i0LXx4pelY8TFhqKoTit3NPVPwoSNN0vdSN9dTu1xr1XOVw==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/client-search/-/client-search-4.20.0.tgz", + "integrity": "sha512-zgwqnMvhWLdpzKTpd3sGmMlr4c+iS7eyyLGiaO51zDZWGMkpgoNVmltkzdBwxOVXz0RsFMznIxB9zuarUv4TZg==", "requires": { - "@algolia/client-common": "4.19.1", - "@algolia/requester-common": "4.19.1", - "@algolia/transporter": "4.19.1" + "@algolia/client-common": "4.20.0", + "@algolia/requester-common": "4.20.0", + "@algolia/transporter": "4.20.0" } }, "@algolia/events": { @@ -13088,47 +13092,47 @@ "integrity": "sha512-FQzvOCgoFXAbf5Y6mYozw2aj5KCJoA3m4heImceldzPSMbdyS4atVjJzXKMsfX3wnZTFYwkkt8/z8UesLHlSBQ==" }, "@algolia/logger-common": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/logger-common/-/logger-common-4.19.1.tgz", - "integrity": "sha512-i6pLPZW/+/YXKis8gpmSiNk1lOmYCmRI6+x6d2Qk1OdfvX051nRVdalRbEcVTpSQX6FQAoyeaui0cUfLYW5Elw==" + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/logger-common/-/logger-common-4.20.0.tgz", + "integrity": "sha512-xouigCMB5WJYEwvoWW5XDv7Z9f0A8VoXJc3VKwlHJw/je+3p2RcDXfksLI4G4lIVncFUYMZx30tP/rsdlvvzHQ==" }, "@algolia/logger-console": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/logger-console/-/logger-console-4.19.1.tgz", - "integrity": "sha512-jj72k9GKb9W0c7TyC3cuZtTr0CngLBLmc8trzZlXdfvQiigpUdvTi1KoWIb2ZMcRBG7Tl8hSb81zEY3zI2RlXg==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/logger-console/-/logger-console-4.20.0.tgz", + "integrity": "sha512-THlIGG1g/FS63z0StQqDhT6bprUczBI8wnLT3JWvfAQDZX5P6fCg7dG+pIrUBpDIHGszgkqYEqECaKKsdNKOUA==", "requires": { - "@algolia/logger-common": "4.19.1" + "@algolia/logger-common": "4.20.0" } }, "@algolia/requester-browser-xhr": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-4.19.1.tgz", - "integrity": "sha512-09K/+t7lptsweRTueHnSnmPqIxbHMowejAkn9XIcJMLdseS3zl8ObnS5GWea86mu3vy4+8H+ZBKkUN82Zsq/zg==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-4.20.0.tgz", + "integrity": "sha512-HbzoSjcjuUmYOkcHECkVTwAelmvTlgs48N6Owt4FnTOQdwn0b8pdht9eMgishvk8+F8bal354nhx/xOoTfwiAw==", "requires": { - "@algolia/requester-common": "4.19.1" + "@algolia/requester-common": "4.20.0" } }, "@algolia/requester-common": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/requester-common/-/requester-common-4.19.1.tgz", - "integrity": "sha512-BisRkcWVxrDzF1YPhAckmi2CFYK+jdMT60q10d7z3PX+w6fPPukxHRnZwooiTUrzFe50UBmLItGizWHP5bDzVQ==" + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-common/-/requester-common-4.20.0.tgz", + "integrity": "sha512-9h6ye6RY/BkfmeJp7Z8gyyeMrmmWsMOCRBXQDs4mZKKsyVlfIVICpcSibbeYcuUdurLhIlrOUkH3rQEgZzonng==" }, "@algolia/requester-node-http": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-4.19.1.tgz", - "integrity": "sha512-6DK52DHviBHTG2BK/Vv2GIlEw7i+vxm7ypZW0Z7vybGCNDeWzADx+/TmxjkES2h15+FZOqVf/Ja677gePsVItA==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-4.20.0.tgz", + "integrity": "sha512-ocJ66L60ABSSTRFnCHIEZpNHv6qTxsBwJEPfYaSBsLQodm0F9ptvalFkHMpvj5DfE22oZrcrLbOYM2bdPJRHng==", "requires": { - "@algolia/requester-common": "4.19.1" + "@algolia/requester-common": "4.20.0" } }, "@algolia/transporter": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/@algolia/transporter/-/transporter-4.19.1.tgz", - "integrity": "sha512-nkpvPWbpuzxo1flEYqNIbGz7xhfhGOKGAZS7tzC+TELgEmi7z99qRyTfNSUlW7LZmB3ACdnqAo+9A9KFBENviQ==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/@algolia/transporter/-/transporter-4.20.0.tgz", + "integrity": "sha512-Lsii1pGWOAISbzeyuf+r/GPhvHMPHSPrTDWNcIzOE1SG1inlJHICaVe2ikuoRjcpgxZNU54Jl+if15SUCsaTUg==", "requires": { - "@algolia/cache-common": "4.19.1", - "@algolia/logger-common": "4.19.1", - "@algolia/requester-common": "4.19.1" + "@algolia/cache-common": "4.20.0", + "@algolia/logger-common": "4.20.0", + "@algolia/requester-common": "4.20.0" } }, "@ampproject/remapping": { @@ -14471,9 +14475,9 @@ } }, "@docusaurus/core": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/core/-/core-2.4.1.tgz", - "integrity": "sha512-SNsY7PshK3Ri7vtsLXVeAJGS50nJN3RgF836zkyUfAD01Fq+sAk5EwWgLw+nnm5KVNGDu7PRR2kRGDsWvqpo0g==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/core/-/core-2.4.3.tgz", + "integrity": "sha512-dWH5P7cgeNSIg9ufReX6gaCl/TmrGKD38Orbwuz05WPhAQtFXHd5B8Qym1TiXfvUNvwoYKkAJOJuGe8ou0Z7PA==", "requires": { "@babel/core": "^7.18.6", "@babel/generator": "^7.18.7", @@ -14485,13 +14489,13 @@ "@babel/runtime": "^7.18.6", "@babel/runtime-corejs3": "^7.18.6", "@babel/traverse": "^7.18.8", - "@docusaurus/cssnano-preset": "2.4.1", - "@docusaurus/logger": "2.4.1", - "@docusaurus/mdx-loader": "2.4.1", + "@docusaurus/cssnano-preset": "2.4.3", + "@docusaurus/logger": "2.4.3", + "@docusaurus/mdx-loader": "2.4.3", "@docusaurus/react-loadable": "5.5.2", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-common": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-common": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "@slorber/static-site-generator-webpack-plugin": "^4.0.7", "@svgr/webpack": "^6.2.1", "autoprefixer": "^10.4.7", @@ -14632,9 +14636,9 @@ } }, "@docusaurus/cssnano-preset": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/cssnano-preset/-/cssnano-preset-2.4.1.tgz", - "integrity": "sha512-ka+vqXwtcW1NbXxWsh6yA1Ckii1klY9E53cJ4O9J09nkMBgrNX3iEFED1fWdv8wf4mJjvGi5RLZ2p9hJNjsLyQ==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/cssnano-preset/-/cssnano-preset-2.4.3.tgz", + "integrity": "sha512-ZvGSRCi7z9wLnZrXNPG6DmVPHdKGd8dIn9pYbEOFiYihfv4uDR3UtxogmKf+rT8ZlKFf5Lqne8E8nt08zNM8CA==", "requires": { "cssnano-preset-advanced": "^5.3.8", "postcss": "^8.4.14", @@ -14650,9 +14654,9 @@ } }, "@docusaurus/logger": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/logger/-/logger-2.4.1.tgz", - "integrity": "sha512-5h5ysIIWYIDHyTVd8BjheZmQZmEgWDR54aQ1BX9pjFfpyzFo5puKXKYrYJXbjEHGyVhEzmB9UXwbxGfaZhOjcg==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/logger/-/logger-2.4.3.tgz", + "integrity": "sha512-Zxws7r3yLufk9xM1zq9ged0YHs65mlRmtsobnFkdZTxWXdTYlWWLWdKyNKAsVC+D7zg+pv2fGbyabdOnyZOM3w==", "requires": { "chalk": "^4.1.2", "tslib": "^2.4.0" @@ -14666,14 +14670,14 @@ } }, "@docusaurus/mdx-loader": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/mdx-loader/-/mdx-loader-2.4.1.tgz", - "integrity": "sha512-4KhUhEavteIAmbBj7LVFnrVYDiU51H5YWW1zY6SmBSte/YLhDutztLTBE0PQl1Grux1jzUJeaSvAzHpTn6JJDQ==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/mdx-loader/-/mdx-loader-2.4.3.tgz", + "integrity": "sha512-b1+fDnWtl3GiqkL0BRjYtc94FZrcDDBV1j8446+4tptB9BAOlePwG2p/pK6vGvfL53lkOsszXMghr2g67M0vCw==", "requires": { "@babel/parser": "^7.18.8", "@babel/traverse": "^7.18.8", - "@docusaurus/logger": "2.4.1", - "@docusaurus/utils": "2.4.1", + "@docusaurus/logger": "2.4.3", + "@docusaurus/utils": "2.4.3", "@mdx-js/mdx": "^1.6.22", "escape-html": "^1.0.3", "file-loader": "^6.2.0", @@ -14697,12 +14701,12 @@ } }, "@docusaurus/module-type-aliases": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/module-type-aliases/-/module-type-aliases-2.4.1.tgz", - "integrity": "sha512-gLBuIFM8Dp2XOCWffUDSjtxY7jQgKvYujt7Mx5s4FCTfoL5dN1EVbnrn+O2Wvh8b0a77D57qoIDY7ghgmatR1A==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/module-type-aliases/-/module-type-aliases-2.4.3.tgz", + "integrity": "sha512-cwkBkt1UCiduuvEAo7XZY01dJfRn7UR/75mBgOdb1hKknhrabJZ8YH+7savd/y9kLExPyrhe0QwdS9GuzsRRIA==", "requires": { "@docusaurus/react-loadable": "5.5.2", - "@docusaurus/types": "2.4.1", + "@docusaurus/types": "2.4.3", "@types/history": "^4.7.11", "@types/react": "*", "@types/react-router-config": "*", @@ -14712,17 +14716,17 @@ } }, "@docusaurus/plugin-content-blog": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-blog/-/plugin-content-blog-2.4.1.tgz", - "integrity": "sha512-E2i7Knz5YIbE1XELI6RlTnZnGgS52cUO4BlCiCUCvQHbR+s1xeIWz4C6BtaVnlug0Ccz7nFSksfwDpVlkujg5Q==", - "requires": { - "@docusaurus/core": "2.4.1", - "@docusaurus/logger": "2.4.1", - "@docusaurus/mdx-loader": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-common": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-blog/-/plugin-content-blog-2.4.3.tgz", + "integrity": "sha512-PVhypqaA0t98zVDpOeTqWUTvRqCEjJubtfFUQ7zJNYdbYTbS/E/ytq6zbLVsN/dImvemtO/5JQgjLxsh8XLo8Q==", + "requires": { + "@docusaurus/core": "2.4.3", + "@docusaurus/logger": "2.4.3", + "@docusaurus/mdx-loader": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-common": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "cheerio": "^1.0.0-rc.12", "feed": "^4.2.2", "fs-extra": "^10.1.0", @@ -14742,17 +14746,17 @@ } }, "@docusaurus/plugin-content-docs": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-docs/-/plugin-content-docs-2.4.1.tgz", - "integrity": "sha512-Lo7lSIcpswa2Kv4HEeUcGYqaasMUQNpjTXpV0N8G6jXgZaQurqp7E8NGYeGbDXnb48czmHWbzDL4S3+BbK0VzA==", - "requires": { - "@docusaurus/core": "2.4.1", - "@docusaurus/logger": "2.4.1", - "@docusaurus/mdx-loader": "2.4.1", - "@docusaurus/module-type-aliases": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-docs/-/plugin-content-docs-2.4.3.tgz", + "integrity": "sha512-N7Po2LSH6UejQhzTCsvuX5NOzlC+HiXOVvofnEPj0WhMu1etpLEXE6a4aTxrtg95lQ5kf0xUIdjX9sh3d3G76A==", + "requires": { + "@docusaurus/core": "2.4.3", + "@docusaurus/logger": "2.4.3", + "@docusaurus/mdx-loader": "2.4.3", + "@docusaurus/module-type-aliases": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "@types/react-router-config": "^5.0.6", "combine-promises": "^1.1.0", "fs-extra": "^10.1.0", @@ -14772,15 +14776,15 @@ } }, "@docusaurus/plugin-content-pages": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-pages/-/plugin-content-pages-2.4.1.tgz", - "integrity": "sha512-/UjuH/76KLaUlL+o1OvyORynv6FURzjurSjvn2lbWTFc4tpYY2qLYTlKpTCBVPhlLUQsfyFnshEJDLmPneq2oA==", - "requires": { - "@docusaurus/core": "2.4.1", - "@docusaurus/mdx-loader": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-pages/-/plugin-content-pages-2.4.3.tgz", + "integrity": "sha512-txtDVz7y3zGk67q0HjG0gRttVPodkHqE0bpJ+7dOaTH40CQFLSh7+aBeGnPOTl+oCPG+hxkim4SndqPqXjQ8Bg==", + "requires": { + "@docusaurus/core": "2.4.3", + "@docusaurus/mdx-loader": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "fs-extra": "^10.1.0", "tslib": "^2.4.0", "webpack": "^5.73.0" @@ -14794,13 +14798,13 @@ } }, "@docusaurus/plugin-debug": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-debug/-/plugin-debug-2.4.1.tgz", - "integrity": "sha512-7Yu9UPzRShlrH/G8btOpR0e6INFZr0EegWplMjOqelIwAcx3PKyR8mgPTxGTxcqiYj6hxSCRN0D8R7YrzImwNA==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-debug/-/plugin-debug-2.4.3.tgz", + "integrity": "sha512-LkUbuq3zCmINlFb+gAd4ZvYr+bPAzMC0hwND4F7V9bZ852dCX8YoWyovVUBKq4er1XsOwSQaHmNGtObtn8Av8Q==", "requires": { - "@docusaurus/core": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils": "2.4.1", + "@docusaurus/core": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils": "2.4.3", "fs-extra": "^10.1.0", "react-json-view": "^1.21.3", "tslib": "^2.4.0" @@ -14814,13 +14818,13 @@ } }, "@docusaurus/plugin-google-analytics": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-analytics/-/plugin-google-analytics-2.4.1.tgz", - "integrity": "sha512-dyZJdJiCoL+rcfnm0RPkLt/o732HvLiEwmtoNzOoz9MSZz117UH2J6U2vUDtzUzwtFLIf32KkeyzisbwUCgcaQ==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-analytics/-/plugin-google-analytics-2.4.3.tgz", + "integrity": "sha512-KzBV3k8lDkWOhg/oYGxlK5o9bOwX7KpPc/FTWoB+SfKhlHfhq7qcQdMi1elAaVEIop8tgK6gD1E58Q+XC6otSQ==", "requires": { - "@docusaurus/core": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "@docusaurus/core": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "tslib": "^2.4.0" }, "dependencies": { @@ -14832,13 +14836,13 @@ } }, "@docusaurus/plugin-google-gtag": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-gtag/-/plugin-google-gtag-2.4.1.tgz", - "integrity": "sha512-mKIefK+2kGTQBYvloNEKtDmnRD7bxHLsBcxgnbt4oZwzi2nxCGjPX6+9SQO2KCN5HZbNrYmGo5GJfMgoRvy6uA==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-gtag/-/plugin-google-gtag-2.4.3.tgz", + "integrity": "sha512-5FMg0rT7sDy4i9AGsvJC71MQrqQZwgLNdDetLEGDHLfSHLvJhQbTCUGbGXknUgWXQJckcV/AILYeJy+HhxeIFA==", "requires": { - "@docusaurus/core": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "@docusaurus/core": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "tslib": "^2.4.0" }, "dependencies": { @@ -14850,13 +14854,13 @@ } }, "@docusaurus/plugin-google-tag-manager": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-tag-manager/-/plugin-google-tag-manager-2.4.1.tgz", - "integrity": "sha512-Zg4Ii9CMOLfpeV2nG74lVTWNtisFaH9QNtEw48R5QE1KIwDBdTVaiSA18G1EujZjrzJJzXN79VhINSbOJO/r3g==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-tag-manager/-/plugin-google-tag-manager-2.4.3.tgz", + "integrity": "sha512-1jTzp71yDGuQiX9Bi0pVp3alArV0LSnHXempvQTxwCGAEzUWWaBg4d8pocAlTpbP9aULQQqhgzrs8hgTRPOM0A==", "requires": { - "@docusaurus/core": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "@docusaurus/core": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "tslib": "^2.4.0" }, "dependencies": { @@ -14868,16 +14872,16 @@ } }, "@docusaurus/plugin-sitemap": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-sitemap/-/plugin-sitemap-2.4.1.tgz", - "integrity": "sha512-lZx+ijt/+atQ3FVE8FOHV/+X3kuok688OydDXrqKRJyXBJZKgGjA2Qa8RjQ4f27V2woaXhtnyrdPop/+OjVMRg==", - "requires": { - "@docusaurus/core": "2.4.1", - "@docusaurus/logger": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-common": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-sitemap/-/plugin-sitemap-2.4.3.tgz", + "integrity": "sha512-LRQYrK1oH1rNfr4YvWBmRzTL0LN9UAPxBbghgeFRBm5yloF6P+zv1tm2pe2hQTX/QP5bSKdnajCvfnScgKXMZQ==", + "requires": { + "@docusaurus/core": "2.4.3", + "@docusaurus/logger": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-common": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "fs-extra": "^10.1.0", "sitemap": "^7.1.1", "tslib": "^2.4.0" @@ -14891,23 +14895,23 @@ } }, "@docusaurus/preset-classic": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/preset-classic/-/preset-classic-2.4.1.tgz", - "integrity": "sha512-P4//+I4zDqQJ+UDgoFrjIFaQ1MeS9UD1cvxVQaI6O7iBmiHQm0MGROP1TbE7HlxlDPXFJjZUK3x3cAoK63smGQ==", - "requires": { - "@docusaurus/core": "2.4.1", - "@docusaurus/plugin-content-blog": "2.4.1", - "@docusaurus/plugin-content-docs": "2.4.1", - "@docusaurus/plugin-content-pages": "2.4.1", - "@docusaurus/plugin-debug": "2.4.1", - "@docusaurus/plugin-google-analytics": "2.4.1", - "@docusaurus/plugin-google-gtag": "2.4.1", - "@docusaurus/plugin-google-tag-manager": "2.4.1", - "@docusaurus/plugin-sitemap": "2.4.1", - "@docusaurus/theme-classic": "2.4.1", - "@docusaurus/theme-common": "2.4.1", - "@docusaurus/theme-search-algolia": "2.4.1", - "@docusaurus/types": "2.4.1" + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/preset-classic/-/preset-classic-2.4.3.tgz", + "integrity": "sha512-tRyMliepY11Ym6hB1rAFSNGwQDpmszvWYJvlK1E+md4SW8i6ylNHtpZjaYFff9Mdk3i/Pg8ItQq9P0daOJAvQw==", + "requires": { + "@docusaurus/core": "2.4.3", + "@docusaurus/plugin-content-blog": "2.4.3", + "@docusaurus/plugin-content-docs": "2.4.3", + "@docusaurus/plugin-content-pages": "2.4.3", + "@docusaurus/plugin-debug": "2.4.3", + "@docusaurus/plugin-google-analytics": "2.4.3", + "@docusaurus/plugin-google-gtag": "2.4.3", + "@docusaurus/plugin-google-tag-manager": "2.4.3", + "@docusaurus/plugin-sitemap": "2.4.3", + "@docusaurus/theme-classic": "2.4.3", + "@docusaurus/theme-common": "2.4.3", + "@docusaurus/theme-search-algolia": "2.4.3", + "@docusaurus/types": "2.4.3" } }, "@docusaurus/react-loadable": { @@ -14920,22 +14924,22 @@ } }, "@docusaurus/theme-classic": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-classic/-/theme-classic-2.4.1.tgz", - "integrity": "sha512-Rz0wKUa+LTW1PLXmwnf8mn85EBzaGSt6qamqtmnh9Hflkc+EqiYMhtUJeLdV+wsgYq4aG0ANc+bpUDpsUhdnwg==", - "requires": { - "@docusaurus/core": "2.4.1", - "@docusaurus/mdx-loader": "2.4.1", - "@docusaurus/module-type-aliases": "2.4.1", - "@docusaurus/plugin-content-blog": "2.4.1", - "@docusaurus/plugin-content-docs": "2.4.1", - "@docusaurus/plugin-content-pages": "2.4.1", - "@docusaurus/theme-common": "2.4.1", - "@docusaurus/theme-translations": "2.4.1", - "@docusaurus/types": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-common": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-classic/-/theme-classic-2.4.3.tgz", + "integrity": "sha512-QKRAJPSGPfDY2yCiPMIVyr+MqwZCIV2lxNzqbyUW0YkrlmdzzP3WuQJPMGLCjWgQp/5c9kpWMvMxjhpZx1R32Q==", + "requires": { + "@docusaurus/core": "2.4.3", + "@docusaurus/mdx-loader": "2.4.3", + "@docusaurus/module-type-aliases": "2.4.3", + "@docusaurus/plugin-content-blog": "2.4.3", + "@docusaurus/plugin-content-docs": "2.4.3", + "@docusaurus/plugin-content-pages": "2.4.3", + "@docusaurus/theme-common": "2.4.3", + "@docusaurus/theme-translations": "2.4.3", + "@docusaurus/types": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-common": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "@mdx-js/react": "^1.6.22", "clsx": "^1.2.1", "copy-text-to-clipboard": "^3.0.1", @@ -14959,17 +14963,17 @@ } }, "@docusaurus/theme-common": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-common/-/theme-common-2.4.1.tgz", - "integrity": "sha512-G7Zau1W5rQTaFFB3x3soQoZpkgMbl/SYNG8PfMFIjKa3M3q8n0m/GRf5/H/e5BqOvt8c+ZWIXGCiz+kUCSHovA==", - "requires": { - "@docusaurus/mdx-loader": "2.4.1", - "@docusaurus/module-type-aliases": "2.4.1", - "@docusaurus/plugin-content-blog": "2.4.1", - "@docusaurus/plugin-content-docs": "2.4.1", - "@docusaurus/plugin-content-pages": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-common": "2.4.1", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-common/-/theme-common-2.4.3.tgz", + "integrity": "sha512-7KaDJBXKBVGXw5WOVt84FtN8czGWhM0lbyWEZXGp8AFfL6sZQfRTluFp4QriR97qwzSyOfQb+nzcDZZU4tezUw==", + "requires": { + "@docusaurus/mdx-loader": "2.4.3", + "@docusaurus/module-type-aliases": "2.4.3", + "@docusaurus/plugin-content-blog": "2.4.3", + "@docusaurus/plugin-content-docs": "2.4.3", + "@docusaurus/plugin-content-pages": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-common": "2.4.3", "@types/history": "^4.7.11", "@types/react": "*", "@types/react-router-config": "*", @@ -14989,18 +14993,18 @@ } }, "@docusaurus/theme-search-algolia": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-search-algolia/-/theme-search-algolia-2.4.1.tgz", - "integrity": "sha512-6BcqW2lnLhZCXuMAvPRezFs1DpmEKzXFKlYjruuas+Xy3AQeFzDJKTJFIm49N77WFCTyxff8d3E4Q9pi/+5McQ==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-search-algolia/-/theme-search-algolia-2.4.3.tgz", + "integrity": "sha512-jziq4f6YVUB5hZOB85ELATwnxBz/RmSLD3ksGQOLDPKVzat4pmI8tddNWtriPpxR04BNT+ZfpPUMFkNFetSW1Q==", "requires": { "@docsearch/react": "^3.1.1", - "@docusaurus/core": "2.4.1", - "@docusaurus/logger": "2.4.1", - "@docusaurus/plugin-content-docs": "2.4.1", - "@docusaurus/theme-common": "2.4.1", - "@docusaurus/theme-translations": "2.4.1", - "@docusaurus/utils": "2.4.1", - "@docusaurus/utils-validation": "2.4.1", + "@docusaurus/core": "2.4.3", + "@docusaurus/logger": "2.4.3", + "@docusaurus/plugin-content-docs": "2.4.3", + "@docusaurus/theme-common": "2.4.3", + "@docusaurus/theme-translations": "2.4.3", + "@docusaurus/utils": "2.4.3", + "@docusaurus/utils-validation": "2.4.3", "algoliasearch": "^4.13.1", "algoliasearch-helper": "^3.10.0", "clsx": "^1.2.1", @@ -15019,9 +15023,9 @@ } }, "@docusaurus/theme-translations": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-translations/-/theme-translations-2.4.1.tgz", - "integrity": "sha512-T1RAGP+f86CA1kfE8ejZ3T3pUU3XcyvrGMfC/zxCtc2BsnoexuNI9Vk2CmuKCb+Tacvhxjv5unhxXce0+NKyvA==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-translations/-/theme-translations-2.4.3.tgz", + "integrity": "sha512-H4D+lbZbjbKNS/Zw1Lel64PioUAIT3cLYYJLUf3KkuO/oc9e0QCVhIYVtUI2SfBCF2NNdlyhBDQEEMygsCedIg==", "requires": { "fs-extra": "^10.1.0", "tslib": "^2.4.0" @@ -15035,9 +15039,9 @@ } }, "@docusaurus/types": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/types/-/types-2.4.1.tgz", - "integrity": "sha512-0R+cbhpMkhbRXX138UOc/2XZFF8hiZa6ooZAEEJFp5scytzCw4tC1gChMFXrpa3d2tYE6AX8IrOEpSonLmfQuQ==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/types/-/types-2.4.3.tgz", + "integrity": "sha512-W6zNLGQqfrp/EoPD0bhb9n7OobP+RHpmvVzpA+Z/IuU3Q63njJM24hmT0GYboovWcDtFmnIJC9wcyx4RVPQscw==", "requires": { "@types/history": "^4.7.11", "@types/react": "*", @@ -15050,11 +15054,11 @@ } }, "@docusaurus/utils": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/utils/-/utils-2.4.1.tgz", - "integrity": "sha512-1lvEZdAQhKNht9aPXPoh69eeKnV0/62ROhQeFKKxmzd0zkcuE/Oc5Gpnt00y/f5bIsmOsYMY7Pqfm/5rteT5GA==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/utils/-/utils-2.4.3.tgz", + "integrity": "sha512-fKcXsjrD86Smxv8Pt0TBFqYieZZCPh4cbf9oszUq/AMhZn3ujwpKaVYZACPX8mmjtYx0JOgNx52CREBfiGQB4A==", "requires": { - "@docusaurus/logger": "2.4.1", + "@docusaurus/logger": "2.4.3", "@svgr/webpack": "^6.2.1", "escape-string-regexp": "^4.0.0", "file-loader": "^6.2.0", @@ -15080,9 +15084,9 @@ } }, "@docusaurus/utils-common": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/utils-common/-/utils-common-2.4.1.tgz", - "integrity": "sha512-bCVGdZU+z/qVcIiEQdyx0K13OC5mYwxhSuDUR95oFbKVuXYRrTVrwZIqQljuo1fyJvFTKHiL9L9skQOPokuFNQ==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/utils-common/-/utils-common-2.4.3.tgz", + "integrity": "sha512-/jascp4GbLQCPVmcGkPzEQjNaAk3ADVfMtudk49Ggb+131B1WDD6HqlSmDf8MxGdy7Dja2gc+StHf01kiWoTDQ==", "requires": { "tslib": "^2.4.0" }, @@ -15095,12 +15099,12 @@ } }, "@docusaurus/utils-validation": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/@docusaurus/utils-validation/-/utils-validation-2.4.1.tgz", - "integrity": "sha512-unII3hlJlDwZ3w8U+pMO3Lx3RhI4YEbY3YNsQj4yzrkZzlpqZOLuAiZK2JyULnD+TKbceKU0WyWkQXtYbLNDFA==", + "version": "2.4.3", + "resolved": "https://registry.npmjs.org/@docusaurus/utils-validation/-/utils-validation-2.4.3.tgz", + "integrity": "sha512-G2+Vt3WR5E/9drAobP+hhZQMaswRwDlp6qOMi7o7ZypB+VO7N//DZWhZEwhcRGepMDJGQEwtPv7UxtYwPL9PBw==", "requires": { - "@docusaurus/logger": "2.4.1", - "@docusaurus/utils": "2.4.1", + "@docusaurus/logger": "2.4.3", + "@docusaurus/utils": "2.4.3", "joi": "^17.6.0", "js-yaml": "^4.1.0", "tslib": "^2.4.0" @@ -15848,9 +15852,9 @@ "integrity": "sha512-wWKOClTTiizcZhXnPY4wikVAwmdYHp8q6DmC+EJUzAMsycb7HB32Kh9RN4+0gExjmPmZSAQjgURXIGATPegAvA==" }, "@types/sax": { - "version": "1.2.4", - "resolved": "https://registry.npmjs.org/@types/sax/-/sax-1.2.4.tgz", - "integrity": "sha512-pSAff4IAxJjfAXUG6tFkO7dsSbTmf8CtUpfhhZ5VhkRpC4628tJhh3+V6H1E+/Gs9piSzYKT5yzHO5M4GG9jkw==", + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/@types/sax/-/sax-1.2.6.tgz", + "integrity": "sha512-A1mpYCYu1aHFayy8XKN57ebXeAbh9oQIZ1wXcno6b1ESUAfMBDMx7mf/QGlYwcMRaFryh9YBuH03i/3FlPGDkQ==", "requires": { "@types/node": "*" } @@ -16145,30 +16149,30 @@ "requires": {} }, "algoliasearch": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/algoliasearch/-/algoliasearch-4.19.1.tgz", - "integrity": "sha512-IJF5b93b2MgAzcE/tuzW0yOPnuUyRgGAtaPv5UUywXM8kzqfdwZTO4sPJBzoGz1eOy6H9uEchsJsBFTELZSu+g==", - "requires": { - "@algolia/cache-browser-local-storage": "4.19.1", - "@algolia/cache-common": "4.19.1", - "@algolia/cache-in-memory": "4.19.1", - "@algolia/client-account": "4.19.1", - "@algolia/client-analytics": "4.19.1", - "@algolia/client-common": "4.19.1", - "@algolia/client-personalization": "4.19.1", - "@algolia/client-search": "4.19.1", - "@algolia/logger-common": "4.19.1", - "@algolia/logger-console": "4.19.1", - "@algolia/requester-browser-xhr": "4.19.1", - "@algolia/requester-common": "4.19.1", - "@algolia/requester-node-http": "4.19.1", - "@algolia/transporter": "4.19.1" + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/algoliasearch/-/algoliasearch-4.20.0.tgz", + "integrity": "sha512-y+UHEjnOItoNy0bYO+WWmLWBlPwDjKHW6mNHrPi0NkuhpQOOEbrkwQH/wgKFDLh7qlKjzoKeiRtlpewDPDG23g==", + "requires": { + "@algolia/cache-browser-local-storage": "4.20.0", + "@algolia/cache-common": "4.20.0", + "@algolia/cache-in-memory": "4.20.0", + "@algolia/client-account": "4.20.0", + "@algolia/client-analytics": "4.20.0", + "@algolia/client-common": "4.20.0", + "@algolia/client-personalization": "4.20.0", + "@algolia/client-search": "4.20.0", + "@algolia/logger-common": "4.20.0", + "@algolia/logger-console": "4.20.0", + "@algolia/requester-browser-xhr": "4.20.0", + "@algolia/requester-common": "4.20.0", + "@algolia/requester-node-http": "4.20.0", + "@algolia/transporter": "4.20.0" } }, "algoliasearch-helper": { - "version": "3.14.0", - "resolved": "https://registry.npmjs.org/algoliasearch-helper/-/algoliasearch-helper-3.14.0.tgz", - "integrity": "sha512-gXDXzsSS0YANn5dHr71CUXOo84cN4azhHKUbg71vAWnH+1JBiR4jf7to3t3JHXknXkbV0F7f055vUSBKrltHLQ==", + "version": "3.15.0", + "resolved": "https://registry.npmjs.org/algoliasearch-helper/-/algoliasearch-helper-3.15.0.tgz", + "integrity": "sha512-DGUnK3TGtDQsaUE4ayF/LjSN0DGsuYThB8WBgnnDY0Wq04K6lNVruO3LfqJOgSfDiezp+Iyt8Tj4YKHi+/ivSA==", "requires": { "@algolia/events": "^4.0.1" } @@ -16239,13 +16243,13 @@ "integrity": "sha512-+q/t7Ekv1EDY2l6Gda6LLiX14rU9TV20Wa3ofeQmwPFZbOMo9DXrLbOjFaaclkXKWidIaopwAObQDqwWtGUjqg==" }, "autoprefixer": { - "version": "10.4.15", - "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.15.tgz", - "integrity": "sha512-KCuPB8ZCIqFdA4HwKXsvz7j6gvSDNhDP7WnUjBleRkKjPdvCmHFuQ77ocavI8FT6NdvlBnE2UFr2H4Mycn8Vew==", + "version": "10.4.16", + "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.16.tgz", + "integrity": "sha512-7vd3UC6xKp0HLfua5IjZlcXvGAGy7cBAXTg2lyQ/8WpNhd6SiZ8Be+xm3FyBSYJx5GKcpRCzBh7RH4/0dnY+uQ==", "requires": { "browserslist": "^4.21.10", - "caniuse-lite": "^1.0.30001520", - "fraction.js": "^4.2.0", + "caniuse-lite": "^1.0.30001538", + "fraction.js": "^4.3.6", "normalize-range": "^0.1.2", "picocolors": "^1.0.0", "postcss-value-parser": "^4.2.0" @@ -16567,9 +16571,9 @@ } }, "caniuse-lite": { - "version": "1.0.30001529", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001529.tgz", - "integrity": "sha512-n2pUQYGAkrLG4QYj2desAh+NqsJpHbNmVZz87imptDdxLAtjxary7Df/psdfyDGmskJK/9Dt9cPnx5RZ3CU4Og==" + "version": "1.0.30001554", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001554.tgz", + "integrity": "sha512-A2E3U//MBwbJVzebddm1YfNp7Nud5Ip+IPn4BozBmn4KqVX7AvluoIDFWjsv5OkGnKUXQVmMSoMKLa3ScCblcQ==" }, "ccount": { "version": "1.1.0", @@ -18016,9 +18020,9 @@ "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==" }, "fraction.js": { - "version": "4.3.6", - "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-4.3.6.tgz", - "integrity": "sha512-n2aZ9tNfYDwaHhvFTkhFErqOMIb8uyzSQ+vGJBjZyanAKZVbGUQ1sngfk9FdkBw7G26O7AgNjLcecLffD1c7eg==" + "version": "4.3.7", + "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-4.3.7.tgz", + "integrity": "sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew==" }, "fresh": { "version": "0.5.2", @@ -20932,9 +20936,9 @@ } }, "search-insights": { - "version": "2.8.2", - "resolved": "https://registry.npmjs.org/search-insights/-/search-insights-2.8.2.tgz", - "integrity": "sha512-PxA9M5Q2bpBelVvJ3oDZR8nuY00Z6qwOxL53wNpgzV28M/D6u9WUbImDckjLSILBF8F1hn/mgyuUaOPtjow4Qw==", + "version": "2.9.0", + "resolved": "https://registry.npmjs.org/search-insights/-/search-insights-2.9.0.tgz", + "integrity": "sha512-bkWW9nIHOFkLwjQ1xqVaMbjjO5vhP26ERsH9Y3pKr8imthofEFIxlnOabkmGcw6ksRj9jWidcI65vvjJH/nTGg==", "peer": true }, "section-matter": { @@ -21600,9 +21604,9 @@ "peer": true }, "ua-parser-js": { - "version": "1.0.35", - "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-1.0.35.tgz", - "integrity": "sha512-fKnGuqmTBnIE+/KXSzCn4db8RTigUzw1AN0DmdU6hJovUTbYJKyqj+8Mt1c4VfRDnOVJnENmfYkIPZ946UrSAA==" + "version": "1.0.36", + "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-1.0.36.tgz", + "integrity": "sha512-znuyCIXzl8ciS3+y3fHJI/2OhQIXbXw9MWC/o3qwyR+RGppjZHrM27CGFSKCJXi2Kctiz537iOu2KnXs1lMQhw==" }, "unherit": { "version": "1.1.3", diff --git a/docs/package.json b/docs/package.json index ce25c11435..b6d69cc0f9 100644 --- a/docs/package.json +++ b/docs/package.json @@ -12,8 +12,8 @@ "serve": "docusaurus serve" }, "dependencies": { - "@docusaurus/core": "^2.0.0-beta.15", - "@docusaurus/preset-classic": "^2.0.0-beta.15", + "@docusaurus/core": "^2.4.3", + "@docusaurus/preset-classic": "^2.4.3", "@easyops-cn/docusaurus-search-local": "^0.29.0", "@mdx-js/react": "^1.6.22", "clsx": "^1.1.1", diff --git a/docs/sidebars.js b/docs/sidebars.js index f74b9da6f1..b573ad5eb8 100644 --- a/docs/sidebars.js +++ b/docs/sidebars.js @@ -11,18 +11,61 @@ module.exports = { { type: 'category', label: 'Configuration', + link: { + type: 'doc', + id: 'configuration/overview', + }, collapsed: false, - items: ['configuration/overview', 'configuration/oauth_provider', 'configuration/session_storage', 'configuration/tls', 'configuration/alpha-config'], + items: [ + 'configuration/overview', + { + type: 'category', + label: 'OAuth Provider Configuration', + link: { + type: 'doc', + id: 'configuration/providers/index', + }, + items: [ + 'configuration/providers/google', + 'configuration/providers/azure', + 'configuration/providers/adfs', + 'configuration/providers/facebook', + 'configuration/providers/github', + 'configuration/providers/gitea', + 'configuration/providers/keycloak', + 'configuration/providers/keycloak_oidc', + 'configuration/providers/gitlab', + 'configuration/providers/linkedin', + 'configuration/providers/azure_ad', + 'configuration/providers/openid_connect', + 'configuration/providers/login_gov', + 'configuration/providers/nextcloud', + 'configuration/providers/digitalocean', + 'configuration/providers/bitbucket', + ], + }, + 'configuration/session_storage', + 'configuration/tls', + 'configuration/alpha-config', + ], }, { type: 'category', label: 'Features', + link: { + type: 'doc', + id: 'features/endpoints', + }, collapsed: false, items: ['features/endpoints'], }, { type: 'category', label: 'Community', + link: { + type: 'doc', + id: 'community/security', + }, collapsed: false, items: ['community/security'], }, diff --git a/pkg/apis/options/legacy_options.go b/pkg/apis/options/legacy_options.go index fcd1f3d3d3..f5747f020e 100644 --- a/pkg/apis/options/legacy_options.go +++ b/pkg/apis/options/legacy_options.go @@ -605,7 +605,7 @@ func legacyGoogleFlagSet() *pflag.FlagSet { flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls") flagSet.String("google-service-account-json", "", "the path to the service account json credentials") flagSet.String("google-use-application-default-credentials", "", "use application default credentials instead of service account json (i.e. GKE Workload Identity)") - flagSet.String("google-target-principal", "", "the targetprincipal to impersonate when using ADC") + flagSet.String("google-target-principal", "", "the target principal to impersonate when using ADC") return flagSet } diff --git a/pkg/apis/options/upstreams.go b/pkg/apis/options/upstreams.go index 0042a61a5d..dab4f62b77 100644 --- a/pkg/apis/options/upstreams.go +++ b/pkg/apis/options/upstreams.go @@ -12,7 +12,7 @@ const ( // UpstreamConfig is a collection of definitions for upstream servers. type UpstreamConfig struct { - // ProxyRawPath will pass the raw url path to upstream allowing for url's + // ProxyRawPath will pass the raw url path to upstream allowing for urls // like: "/%2F/" which would otherwise be redirected to "/" ProxyRawPath bool `json:"proxyRawPath,omitempty"` @@ -60,7 +60,7 @@ type Upstream struct { // InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts. // This option is insecure and will allow potential Man-In-The-Middle attacks - // betweem OAuth2 Proxy and the usptream server. + // between OAuth2 Proxy and the upstream server. // Defaults to false. InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"` From e55ac342f0689b2fad1cf7c6344c3610b8146be7 Mon Sep 17 00:00:00 2001 From: Robert Deaton Date: Tue, 31 Oct 2023 12:42:46 -0700 Subject: [PATCH 15/17] Use updated key names in oauth2-proxy-alpha-config.yaml (#2253) --- contrib/local-environment/oauth2-proxy-alpha-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/local-environment/oauth2-proxy-alpha-config.yaml b/contrib/local-environment/oauth2-proxy-alpha-config.yaml index 1c9d3df616..6a46e1b1fe 100644 --- a/contrib/local-environment/oauth2-proxy-alpha-config.yaml +++ b/contrib/local-environment/oauth2-proxy-alpha-config.yaml @@ -20,4 +20,4 @@ providers: clientSecret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK clientID: oauth2-proxy oidcConfig: - oidcIssuerURL: http://dex.localhost:4190/dex + issuerURL: http://dex.localhost:4190/dex From 8142c9eeec4caab000370bb2b4f7aff7992e054c Mon Sep 17 00:00:00 2001 From: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Tue, 31 Oct 2023 20:49:22 +0100 Subject: [PATCH 16/17] Added a checkbox for tested changes to PR template (#2285) * Added a checkbox for tested changes to PR template * Update PULL_REQUEST_TEMPLATE.md * Update .github/PULL_REQUEST_TEMPLATE.md Co-authored-by: Jan Larwig --------- Co-authored-by: Jan Larwig --- .github/PULL_REQUEST_TEMPLATE.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index f5fbdf5aea..20aad51261 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -23,3 +23,4 @@ - [ ] My change requires a change to the documentation or CHANGELOG. - [ ] I have updated the documentation/CHANGELOG accordingly. - [ ] I have created a feature (non-master) branch for my PR. +- [ ] I have written tests for my code changes. From 66a81e6eeb4ab4e6cacac4957ed943825196cb87 Mon Sep 17 00:00:00 2001 From: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Tue, 31 Oct 2023 20:53:03 +0100 Subject: [PATCH 17/17] Updated oauth2-proxy tags to 7.5.1 (#2303) --- contrib/local-environment/docker-compose-gitea.yaml | 2 +- contrib/local-environment/docker-compose-keycloak.yaml | 2 +- contrib/local-environment/docker-compose.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/local-environment/docker-compose-gitea.yaml b/contrib/local-environment/docker-compose-gitea.yaml index c616862200..6bd6e7757c 100644 --- a/contrib/local-environment/docker-compose-gitea.yaml +++ b/contrib/local-environment/docker-compose-gitea.yaml @@ -14,7 +14,7 @@ version: '3.0' services: oauth2-proxy: container_name: oauth2-proxy - image: gitea-oauth #quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 + image: gitea-oauth #quay.io/oauth2-proxy/oauth2-proxy:v7.5.1 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose-keycloak.yaml b/contrib/local-environment/docker-compose-keycloak.yaml index 4f6e8bbbbe..e9dfa17e36 100644 --- a/contrib/local-environment/docker-compose-keycloak.yaml +++ b/contrib/local-environment/docker-compose-keycloak.yaml @@ -15,7 +15,7 @@ services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.0 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose.yaml b/contrib/local-environment/docker-compose.yaml index d233bb7e9a..c5ba9ecf62 100644 --- a/contrib/local-environment/docker-compose.yaml +++ b/contrib/local-environment/docker-compose.yaml @@ -13,7 +13,7 @@ version: '3.0' services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.0 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1 command: --config /oauth2-proxy.cfg ports: - 4180:4180/tcp