From ee39467ade12aa6dc6b69b0a8db3f0615f75f126 Mon Sep 17 00:00:00 2001 From: Benjamin FERNANDEZ Date: Tue, 18 Jul 2023 14:58:24 +0200 Subject: [PATCH 01/13] Add frame ancestor configuration for web app to prevent clickjacking --- cmd/dex/config.go | 1 + cmd/dex/serve.go | 4 ++++ server/server.go | 26 ++++++++++++++++++++++++++ 3 files changed, 31 insertions(+) diff --git a/cmd/dex/config.go b/cmd/dex/config.go index 831156fd40..8cd539707d 100644 --- a/cmd/dex/config.go +++ b/cmd/dex/config.go @@ -150,6 +150,7 @@ type Web struct { TLSCert string `json:"tlsCert"` TLSKey string `json:"tlsKey"` AllowedOrigins []string `json:"allowedOrigins"` + FrameAncestors []string `json:"frameAncestors"` } // Telemetry is the config format for telemetry including the HTTP server config. diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go index 47b090aeab..0de06a56e0 100644 --- a/cmd/dex/serve.go +++ b/cmd/dex/serve.go @@ -253,6 +253,10 @@ func runServe(options serveOptions) error { logger.Infof("config allowed origins: %s", c.Web.AllowedOrigins) } + if len(c.Web.FrameAncestors) > 0 { + logger.Infof("config allowed frame ancestors: %s", c.Web.FrameAncestors) + } + // explicitly convert to UTC. now := func() time.Time { return time.Now().UTC() } diff --git a/server/server.go b/server/server.go index 444fb7e15a..57b2d57c0f 100644 --- a/server/server.go +++ b/server/server.go @@ -77,6 +77,11 @@ type Config struct { // domain. AllowedOrigins []string + // List of domain allowed to frame the content of the application. + // By default no one is accepted to prevent against clickjacking. + // Passing in "*" will allow any domain + FrameAncestors []string + // If enabled, the server won't prompt the user to approve authorization requests. // Logging in implies approval. SkipApprovalScreen bool @@ -339,7 +344,28 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy) } } + + // frame-ancestors middleware + frameAncestorsMidldleware := func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + var ancestors string + if len(c.FrameAncestors) > 0 { + for i := 0; i < len(c.FrameAncestors); i++ { + if c.FrameAncestors[i] == issuerURL.String() { + c.FrameAncestors[i] = "'self'" + } + } + ancestors = strings.Join(c.FrameAncestors, " ") + } else { + ancestors = "'none'" + } + w.Header().Set("Content-Security-Policy", "frame-ancestors "+ancestors) + next.ServeHTTP(w, r) + }) + } + r := mux.NewRouter().SkipClean(true).UseEncodedPath() + r.Use(frameAncestorsMidldleware) handle := func(p string, h http.Handler) { r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, h)) } From c92b9fa03098c8e0d848205464e212b248d9df5b Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Fri, 21 Jul 2023 11:54:29 +0200 Subject: [PATCH 02/13] Create docker-image.yml Signed-off-by: Fernandez Benjamin --- .github/workflows/docker-image.yml | 49 ++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/docker-image.yml diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml new file mode 100644 index 0000000000..8cf4db220d --- /dev/null +++ b/.github/workflows/docker-image.yml @@ -0,0 +1,49 @@ +name: Create and publish a Docker image + +# Configures this workflow to run every time a change is pushed to the branch called `release`. +on: + push: + branches: ['release-orange'] + pull_request: + branches: ['release-orange'] + +# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu. +jobs: + build-and-push-image: + runs-on: ubuntu-latest + # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. + permissions: + contents: read + packages: write + # + steps: + - name: Checkout repository + uses: actions/checkout@v3 + # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. + - name: Log in to the Container registry + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. + # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. + # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. + - name: Build and push Docker image + uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} From 39f45c101201511e2f2740ba819fc26701f00027 Mon Sep 17 00:00:00 2001 From: Benjamin FERNANDEZ Date: Fri, 21 Jul 2023 12:17:21 +0200 Subject: [PATCH 03/13] Remove docker registry login because unused --- .github/workflows/artifacts.yaml | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml index cb90eb159e..88239c6e78 100644 --- a/.github/workflows/artifacts.yaml +++ b/.github/workflows/artifacts.yaml @@ -8,11 +8,6 @@ on: default: false required: false type: boolean - secrets: - DOCKER_USERNAME: - required: true - DOCKER_PASSWORD: - required: true outputs: container-image-name: description: Container image name @@ -105,31 +100,6 @@ jobs: password: ${{ github.token }} if: inputs.publish - - name: Login to Docker Hub - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - if: inputs.publish - - - name: Build and push image - id: build - uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 - with: - context: . - platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le - tags: ${{ steps.meta.outputs.tags }} - build-args: | - BASE_IMAGE=${{ matrix.variant }} - VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} - COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} - BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - labels: ${{ steps.meta.outputs.labels }} - # cache-from: type=gha - # cache-to: type=gha,mode=max - outputs: ${{ steps.build-output.outputs.value }} - # push: ${{ inputs.publish }} - - name: Set image ref id: image-ref run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" From 462a1eef43ffddefc787bda0a3790946712c9fe0 Mon Sep 17 00:00:00 2001 From: Benjamin FERNANDEZ Date: Fri, 21 Jul 2023 12:33:05 +0200 Subject: [PATCH 04/13] Change github actions --- .github/workflows/artifacts.yaml | 157 ----------------------- .github/workflows/checks-release.yaml | 18 +++ .github/workflows/checks.yaml | 51 ++++++-- .github/workflows/ci.yaml | 173 -------------------------- ADOPTERS.md | 16 --- MAINTAINERS | 6 - 6 files changed, 60 insertions(+), 361 deletions(-) delete mode 100644 .github/workflows/artifacts.yaml create mode 100644 .github/workflows/checks-release.yaml delete mode 100644 .github/workflows/ci.yaml delete mode 100644 ADOPTERS.md delete mode 100644 MAINTAINERS diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml deleted file mode 100644 index 88239c6e78..0000000000 --- a/.github/workflows/artifacts.yaml +++ /dev/null @@ -1,157 +0,0 @@ -name: Artifacts - -on: - workflow_call: - inputs: - publish: - description: Publish artifacts to the artifact store - default: false - required: false - type: boolean - outputs: - container-image-name: - description: Container image name - value: ${{ jobs.container-image.outputs.name }} - container-image-digest: - description: Container image digest - value: ${{ jobs.container-image.outputs.digest }} - container-image-ref: - description: Container image ref - value: ${{ jobs.container-image.outputs.ref }} - -permissions: - contents: read - -jobs: - container-image: - name: Container image - runs-on: ubuntu-latest - - strategy: - matrix: - variant: - - alpine - - distroless - - permissions: - contents: read - packages: write - id-token: write - security-events: write - - outputs: - name: ${{ steps.image-name.outputs.value }} - digest: ${{ steps.build.outputs.digest }} - ref: ${{ steps.image-ref.outputs.value }} - - steps: - - name: Checkout repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - - name: Set up QEMU - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v2.8.0 - - - name: Set up Syft - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 - - - name: Set image name - id: image-name - run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT" - - - name: Gather build metadata - id: meta - uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 - with: - images: | - ${{ steps.image-name.outputs.value }} - dexidp/dex - flavor: | - latest = false - tags: | - type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }} - type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }} - type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }} - type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.variant == 'alpine' }} - type=ref,event=branch,suffix=-${{ matrix.variant }} - type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }} - type=semver,pattern={{raw}},suffix=-${{ matrix.variant }} - type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }} - labels: | - org.opencontainers.image.documentation=https://dexidp.io/docs/ - - # Multiple exporters are not supported yet - # See https://github.com/moby/buildkit/pull/2760 - - name: Determine build output - uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1 - id: build-output - with: - cond: ${{ inputs.publish }} - if_true: type=image,push=true - if_false: type=oci,dest=image.tar - - - name: Login to GitHub Container Registry - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ github.token }} - if: inputs.publish - - - name: Set image ref - id: image-ref - run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" - - - name: Fetch image - run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar - if: inputs.publish - - # Uncomment the following lines for debugging: - # - name: Upload image as artifact - # uses: actions/upload-artifact@v3 - # with: - # name: "[${{ github.job }}] OCI tarball" - # path: image.tar - - - name: Extract OCI tarball - run: | - mkdir -p image - tar -xf image.tar -C image - - # - name: List tags - # run: skopeo --insecure-policy list-tags oci:image - # - # # See https://github.com/anchore/syft/issues/1545 - # - name: Extract image from multi-arch image - # run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image:${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} docker-archive:docker.tar - # - # - name: Generate SBOM - # run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar - # - # - name: Upload SBOM as artifact - # uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - # with: - # name: "[${{ github.job }}] SBOM" - # path: sbom-spdx.json - # retention-days: 5 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2 - with: - input: image - format: sarif - output: trivy-results.sarif - - - name: Upload Trivy scan results as artifact - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: "[${{ github.job }}] Trivy scan results" - path: trivy-results.sarif - retention-days: 5 - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 - with: - sarif_file: trivy-results.sarif diff --git a/.github/workflows/checks-release.yaml b/.github/workflows/checks-release.yaml new file mode 100644 index 0000000000..2d093d503e --- /dev/null +++ b/.github/workflows/checks-release.yaml @@ -0,0 +1,18 @@ +name: Check release + +on: + pull_request: + branches: ['release-orange'] + +jobs: + release-label: + name: Release note label + runs-on: ubuntu-latest + + steps: + - name: Check minimum labels + uses: mheap/github-action-required-labels@v5 + with: + mode: minimum + count: 1 + labels: "release-note/ignore, kind/feature, release-note/new-feature, kind/enhancement, release-note/enhancement, kind/bug, release-note/bug-fix, release-note/breaking-change, release-note/deprecation, area/dependencies, release-note/dependency-update" diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 5a1cd80f17..62d61b249b 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -1,18 +1,51 @@ -name: PR Checks +name: Checks on: + push: + branches: ['release-orange'] pull_request: - types: [opened, labeled, unlabeled, synchronize] + branches: ['release-orange'] jobs: - release-label: - name: Release note label + lint: + name: Lint runs-on: ubuntu-latest steps: - - name: Check minimum labels - uses: mheap/github-action-required-labels@v5 + - name: Checkout repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - name: Set up Go + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + with: + go-version: "1.20" + + - name: Download golangci-lint + run: make bin/golangci-lint + + - name: Lint + run: make lint + + security-scan: + name: Trivy vulnerability scanner + runs-on: ubuntu-latest + steps: + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2 + with: + #input: image + scan-type: 'fs' + format: sarif + output: trivy-results.sarif + + - name: Upload Trivy scan results as artifact + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + with: + name: "[${{ github.job }}] Trivy scan results" + path: trivy-results.sarif + retention-days: 5 + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 with: - mode: minimum - count: 1 - labels: "release-note/ignore, kind/feature, release-note/new-feature, kind/enhancement, release-note/enhancement, kind/bug, release-note/bug-fix, release-note/breaking-change, release-note/deprecation, area/dependencies, release-note/dependency-update" + sarif_file: trivy-results.sarif diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml deleted file mode 100644 index 0b9713773b..0000000000 --- a/.github/workflows/ci.yaml +++ /dev/null @@ -1,173 +0,0 @@ -name: CI - -on: - push: - branches: [ master ] - pull_request: - -permissions: - contents: read - -jobs: - test: - name: Test - runs-on: ubuntu-latest - - services: - postgres: - image: postgres:10.8 - ports: - - 5432 - options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 - - postgres-ent: - image: postgres:10.8 - ports: - - 5432 - options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 - - mysql: - image: mysql:5.7 - env: - MYSQL_ROOT_PASSWORD: root - MYSQL_DATABASE: dex - ports: - - 3306 - options: --health-cmd "mysql -proot -e \"show databases;\"" --health-interval 10s --health-timeout 5s --health-retries 5 - - mysql-ent: - image: mysql:5.7 - env: - MYSQL_ROOT_PASSWORD: root - MYSQL_DATABASE: dex - ports: - - 3306 - options: --health-cmd "mysql -proot -e \"show databases;\"" --health-interval 10s --health-timeout 5s --health-retries 5 - - etcd: - image: gcr.io/etcd-development/etcd:v3.5.0 - ports: - - 2379 - env: - ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:2379 - ETCD_ADVERTISE_CLIENT_URLS: http://0.0.0.0:2379 - options: --health-cmd "ETCDCTL_API=3 etcdctl --endpoints http://localhost:2379 endpoint health" --health-interval 10s --health-timeout 5s --health-retries 5 - - keystone: - image: openio/openstack-keystone:rocky - ports: - - 5000 - - 35357 - options: --health-cmd "curl --fail http://localhost:5000/v3" --health-interval 10s --health-timeout 5s --health-retries 5 - - steps: - - name: Checkout repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - - name: Set up Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 - with: - go-version: "1.20" - - - name: Download tool dependencies - run: make deps - - # Ensure that generated files were committed. - # It can help us determine, that the code is in the intermediate state, which should not be tested. - # Thus, heavy jobs like creating a kind cluster and testing / linting will be skipped. - - name: Verify - run: make verify - - - name: Start services - run: docker-compose -f docker-compose.test.yaml up -d - - - name: Create kind cluster - uses: helm/kind-action@v1.8.0 - with: - version: "v0.17.0" - node_image: "kindest/node:v1.25.3@sha256:cd248d1438192f7814fbca8fede13cfe5b9918746dfa12583976158a834fd5c5" - - - name: Test - run: make testall - env: - DEX_MYSQL_DATABASE: dex - DEX_MYSQL_USER: root - DEX_MYSQL_PASSWORD: root - DEX_MYSQL_HOST: 127.0.0.1 - DEX_MYSQL_PORT: ${{ job.services.mysql.ports[3306] }} - - DEX_MYSQL_ENT_DATABASE: dex - DEX_MYSQL_ENT_USER: root - DEX_MYSQL_ENT_PASSWORD: root - DEX_MYSQL_ENT_HOST: 127.0.0.1 - DEX_MYSQL_ENT_PORT: ${{ job.services.mysql-ent.ports[3306] }} - - DEX_POSTGRES_DATABASE: postgres - DEX_POSTGRES_USER: postgres - DEX_POSTGRES_PASSWORD: postgres - DEX_POSTGRES_HOST: localhost - DEX_POSTGRES_PORT: ${{ job.services.postgres.ports[5432] }} - - DEX_POSTGRES_ENT_DATABASE: postgres - DEX_POSTGRES_ENT_USER: postgres - DEX_POSTGRES_ENT_PASSWORD: postgres - DEX_POSTGRES_ENT_HOST: localhost - DEX_POSTGRES_ENT_PORT: ${{ job.services.postgres-ent.ports[5432] }} - - DEX_ETCD_ENDPOINTS: http://localhost:${{ job.services.etcd.ports[2379] }} - - DEX_LDAP_HOST: localhost - DEX_LDAP_PORT: 389 - DEX_LDAP_TLS_PORT: 636 - - DEX_KEYSTONE_URL: http://localhost:${{ job.services.keystone.ports[5000] }} - DEX_KEYSTONE_ADMIN_URL: http://localhost:${{ job.services.keystone.ports[35357] }} - DEX_KEYSTONE_ADMIN_USER: demo - DEX_KEYSTONE_ADMIN_PASS: DEMO_PASS - - DEX_KUBERNETES_CONFIG_PATH: ~/.kube/config - - lint: - name: Lint - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - - name: Set up Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 - with: - go-version: "1.20" - - - name: Download golangci-lint - run: make bin/golangci-lint - - - name: Lint - run: make lint - - artifacts: - name: Artifacts - uses: ./.github/workflows/artifacts.yaml - with: - publish: ${{ github.event_name == 'push' }} - secrets: - DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - permissions: - contents: read - packages: write - id-token: write - security-events: write - - dependency-review: - name: Dependency review - runs-on: ubuntu-latest - if: github.event_name == 'pull_request' - - steps: - - name: Checkout repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - - name: Dependency Review - uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6 diff --git a/ADOPTERS.md b/ADOPTERS.md deleted file mode 100644 index fddaa38f20..0000000000 --- a/ADOPTERS.md +++ /dev/null @@ -1,16 +0,0 @@ -# Adopters - -This is a list of production adopters of Dex (in alphabetical order): - -- [Argo CD](https://argoproj.github.io/cd) integrates Dex to provide convenient Single Sign On capabilities to its web UI and CLI -- [Aspect](https://www.aspect.com/) uses Dex for authenticating users across their Kubernetes infrastructure (using Kubernetes OIDC support). -- [Banzai Cloud](https://banzaicloud.com) is using Dex for authenticating to its Pipeline control plane and also to authenticate users against provisioned Kubernetes clusters (via Kubernetes OIDC support). -- [Chef](https://chef.io) uses Dex for authenticating users in [Chef Automate](https://automate.chef.io/). The code is Open Source, available at [`github.com/chef/automate`](https://github.com/chef/automate). -- [Elastisys](https://elastisys.com) uses Dex for authentication in their [Compliant Kubernetes](https://compliantkubernetes.io) distribution, including SSO to the custom dashboard, Grafana, Kibana, and Harbor. -- [Flant](https://flant.com) uses Dex for providing access to core components of [Managed Kubernetes as a Service](https://flant.com/services/managed-kubernetes-as-a-service), integration with various authentication providers, plugging custom applications. -- [JuliaBox](https://juliabox.com/) is leveraging federated OIDC provided by Dex for authenticating users to their compute infrastructure based on Kubernetes. -- [Kasten](https://www.kasten.io) is using Dex for authenticating access to the dashboard of [K10](https://www.kasten.io/product/), a Kubernetes-native platform for backup, disaster recovery and mobility of Kubernetes applications. K10 is widely used by a variety of customers including large enterprises, financial services, design firms, and IT companies. -- [Kyma](https://kyma-project.io) is using Dex to authenticate access to Kubernetes API server (even for managed Kubernetes like Google Kubernetes Engine or Azure Kubernetes Service) and for protecting web UI of [Kyma Console](https://github.com/kyma-project/console) and other UIs integrated in Kyma ([Grafana](https://github.com/grafana/grafana), [Loki](https://github.com/grafana/loki), and [Jaeger](https://github.com/jaegertracing/jaeger)). Kyma is an open-source project ([`github.com/kyma-project`](https://github.com/kyma-project/kyma)) designed natively on Kubernetes, that allows you to extend and customize your applications in a quick and modern way, using serverless computing or microservice architecture. -- [Pusher](https://pusher.com) uses Dex for authenticating users across their Kubernetes infrastructure (using Kubernetes OIDC support) in conjunction with the [OAuth2 Proxy](https://github.com/pusher/oauth2_proxy) for protecting web UIs. -- [Pydio](https://pydio.com/) Pydio Cells is an open source sync & share platform written in Go. Cells is using Dex as an OIDC service for authentication and authorizations. Check out [Pydio Cells repository](https://github.com/pydio/cells) for more information and/or to contribute. -- [sigstore](https://sigstore.dev) uses Dex for authentication in their public Fulcio instance, which is a certificate authority for code signing certificates bound to OIDC-based identities. diff --git a/MAINTAINERS b/MAINTAINERS deleted file mode 100644 index b95c2499de..0000000000 --- a/MAINTAINERS +++ /dev/null @@ -1,6 +0,0 @@ -Joel Speed (@JoelSpeed) -Maksim Nabokikh (@nabokihms) -Mark Sagi-Kazar (@sagikazarmark) -Nandor Kracser (@bonifaido) -Rithu John (@rithujohn191) -Stephen Augustus (@justaugustus) From 2ec99d2eb90c56b4d8a221ad55fc1e83d8ce0b06 Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Mon, 24 Jul 2023 16:59:14 +0200 Subject: [PATCH 05/13] Update README.md Signed-off-by: Fernandez Benjamin --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 338e5f9814..0067b0dcf3 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ ![logo](docs/logos/dex-horizontal-color.png) + Dex is an identity service that uses [OpenID Connect][openid-connect] to drive authentication for other apps. Dex acts as a portal to other identity providers through ["connectors."](#connectors) This lets dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory. Clients write their authentication logic once to talk to dex, then dex handles the protocols for a given backend. From 542f7700746144dbbbb824441ed8207955ec5af1 Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Tue, 25 Jul 2023 15:21:26 +0200 Subject: [PATCH 06/13] Update README.md Signed-off-by: Fernandez Benjamin --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 0067b0dcf3..338e5f9814 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,6 @@ ![logo](docs/logos/dex-horizontal-color.png) - Dex is an identity service that uses [OpenID Connect][openid-connect] to drive authentication for other apps. Dex acts as a portal to other identity providers through ["connectors."](#connectors) This lets dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory. Clients write their authentication logic once to talk to dex, then dex handles the protocols for a given backend. From 774370d94e7c566602b7886cbabdbc8740e193f7 Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Tue, 25 Jul 2023 15:22:21 +0200 Subject: [PATCH 07/13] Update docker-image.yml Signed-off-by: Fernandez Benjamin --- .github/workflows/docker-image.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 8cf4db220d..b36af8f643 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -3,9 +3,7 @@ name: Create and publish a Docker image # Configures this workflow to run every time a change is pushed to the branch called `release`. on: push: - branches: ['release-orange'] - pull_request: - branches: ['release-orange'] + branches: ['release-orange-v2.37.0'] # Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. env: @@ -45,5 +43,4 @@ jobs: with: context: . push: true - tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From 0f39eb7e701e8cee193f3d6b68e20464fac27a2b Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Tue, 25 Jul 2023 15:33:00 +0200 Subject: [PATCH 08/13] Update docker-image.yml Signed-off-by: Fernandez Benjamin --- .github/workflows/docker-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index b36af8f643..b92faea5da 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -43,4 +43,5 @@ jobs: with: context: . push: true + tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From f15ae58183dd72759e534f0a08d18d260c73b0d4 Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Tue, 25 Jul 2023 15:38:06 +0200 Subject: [PATCH 09/13] Update docker-image.yml Signed-off-by: Fernandez Benjamin --- .github/workflows/docker-image.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 8cf4db220d..929a8cb36e 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -3,9 +3,8 @@ name: Create and publish a Docker image # Configures this workflow to run every time a change is pushed to the branch called `release`. on: push: - branches: ['release-orange'] - pull_request: - branches: ['release-orange'] + tags: + - "**" # Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. env: From 771bf9cda2b097ecfd4912d9641ce3fc6ccf8c33 Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Tue, 25 Jul 2023 15:41:26 +0200 Subject: [PATCH 10/13] Update checks.yaml Signed-off-by: Fernandez Benjamin --- .github/workflows/checks.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 62d61b249b..cacebf8871 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -2,9 +2,11 @@ name: Checks on: push: - branches: ['release-orange'] + branches: + - '**' pull_request: - branches: ['release-orange'] + branches: + - '**' jobs: lint: From 2443945ad567f08f42d62871314ffade2f97569f Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Tue, 25 Jul 2023 15:41:38 +0200 Subject: [PATCH 11/13] Update checks.yaml Signed-off-by: Fernandez Benjamin --- .github/workflows/checks.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 62d61b249b..cacebf8871 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -2,9 +2,11 @@ name: Checks on: push: - branches: ['release-orange'] + branches: + - '**' pull_request: - branches: ['release-orange'] + branches: + - '**' jobs: lint: From c42367b8ec8a78827cc4138e69a7c085c4b945bc Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Tue, 25 Jul 2023 16:23:47 +0200 Subject: [PATCH 12/13] Update server.go Signed-off-by: Fernandez Benjamin --- server/server.go | 1 - 1 file changed, 1 deletion(-) diff --git a/server/server.go b/server/server.go index d27188f7ae..7d6e85ed5f 100644 --- a/server/server.go +++ b/server/server.go @@ -344,7 +344,6 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy) } } - // frame-ancestors middleware frameAncestorsMidldleware := func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { From 7dc978edaad48fd7046ebffa038aafe3df6cd28f Mon Sep 17 00:00:00 2001 From: Benjamin FERNANDEZ Date: Mon, 4 Sep 2023 14:58:04 +0200 Subject: [PATCH 13/13] server/server.go : Increase buffer size --- server/server.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/server/server.go b/server/server.go index 7d6e85ed5f..de492e5870 100644 --- a/server/server.go +++ b/server/server.go @@ -1,6 +1,7 @@ package server import ( + "bufio" "context" "crypto/rsa" "encoding/json" @@ -363,7 +364,19 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy) }) } + // Buffer size middleware + bufferSizeMidldleware := func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w := bufio.NewWriterSize(w, 4096*2) + if w.Buffered() > 0 { + w.Flush() + } + next.ServeHTTP(w, r) + }) + } + r := mux.NewRouter().SkipClean(true).UseEncodedPath() + r.Use(bufferSizeMidldleware) r.Use(frameAncestorsMidldleware) handle := func(p string, h http.Handler) { r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, h))