Merge branch 'oauth2-proxy:master' into master

punktDeForks · Oct 2, 2024 · 453b317 · 453b317
2 parents 6154987 + f5d3670
commit 453b317
Show file tree

Hide file tree

Showing 90 changed files with 4,335 additions and 17,003 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/vscode/devcontainers/go:1-1.21
+FROM mcr.microsoft.com/vscode/devcontainers/go:1-1.22
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -26,12 +26,10 @@ jobs:
     - name: Get dependencies
       env:
         # renovate: datasource=github-tags depName=golangci/golangci-lint
-        GOLANGCI_LINT_VERSION: v1.55.2
-        # renovate: datasource=github-tags depName=codeclimate/test-reporter
-        CODECLIMATE_VERSION: v1.0.1
+        GOLANGCI_LINT_VERSION: v1.61.0
       run: |
         curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
-        curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-${CODECLIMATE_VERSION#v}-linux-amd64 > ./cc-test-reporter
+        curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
         chmod +x ./cc-test-reporter
 
     - name: Verify Code Generation

diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -66,7 +66,7 @@ jobs:
         VERSION=${FULL_VERSION%.*}.x
 
         if [ ! -d "versioned_docs/version-${VERSION}" ]; then
-          npm ci
+          npm install
           npm run docusaurus docs:version ${VERSION}
 
           git add .
@@ -90,6 +90,8 @@ jobs:
         ## Important Notes
 
         ## Breaking Changes
+
+        ## Changes since v${VERSION}
         EOF
 
         echo -e "$(cat /tmp/CHANGELOG.prepend)\n\n$(cat CHANGELOG.md)" > CHANGELOG.md

diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -24,13 +24,11 @@ jobs:
         with:
           # renovate: datasource=node-version depName=node
           node-version: 20
-          cache: npm
-          cache-dependency-path: "./docs/package-lock.json"
 
       - name: Test Build
         working-directory: ./docs
         run: |
-          npm ci
+          npm install
           npm run build
 
   build-docs:
@@ -47,7 +45,7 @@ jobs:
       - name: Build docusaurus
         working-directory: ./docs
         run: |
-          npm ci
+          npm install
           npm run build
       
       - name: Upload artifact

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -49,7 +49,8 @@ jobs:
 
     - name: Get dependencies
       env:
-        GOLANGCI_LINT_VERSION: v1.55.2
+        # renovate: datasource=github-tags depName=golangci/golangci-lint
+        GOLANGCI_LINT_VERSION: v1.61.0
       run: |
         curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
         curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter

diff --git a/.golangci.yml b/.golangci.yml
@@ -17,7 +17,7 @@ linters:
     - goprintffuncname
     - misspell
     - prealloc
-    - exportloopref
+    - copyloopvar
     - stylecheck
     - unconvert
     - gocritic

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,25 @@
 
 ## Breaking Changes
 
+## Changes since v7.7.0
+
+# V7.7.0
+
+## Release Highlights
+
+- 🌐 Custom user agent "oauth2-proxy/<version>"
+- 💾 Added s390x architecture support
+- 🕵️‍♀️ Vulnerabilities have been addressed
+  - CVE-2024-24786
+  - CVE-2024-24791
+  - CVE-2024-24790
+  - CVE-2024-24784
+- 📖 Improved docs
+
+## Important Notes
+
+## Breaking Changes
+
 ## Changes since v7.6.0
 
 - [#2539](https://github.com/oauth2-proxy/oauth2-proxy/pull/2539) pkg/http: Fix leaky test (@isodude)
@@ -14,6 +33,10 @@
 - [#2674](https://github.com/oauth2-proxy/oauth2-proxy/pull/2674) docs: additional notes about available claims for HeaderValue (@vegetablest)
 - [#2459](https://github.com/oauth2-proxy/oauth2-proxy/pull/2459) chore(deps): Updated to ginkgo v2 (@kvanzuijlen, @tuunit)
 - [#2112](https://github.com/oauth2-proxy/oauth2-proxy/pull/2112) docs: update list of providers which support refresh tokens (@mikefab-msf)
+- [#2734](https://github.com/oauth2-proxy/oauth2-proxy/pull/2734) Added s390x architecture option support (@priby05)
+- [#2589](https://github.com/oauth2-proxy/oauth2-proxy/pull/2589) Added support for regex path matching and rewriting when using a static `file:` upstream (@ianroberts)
+- [#2790](https://github.com/oauth2-proxy/oauth2-proxy/pull/2790) chore(deps): update all golang dependencies (@tuunit)
+- [#2607](https://github.com/oauth2-proxy/oauth2-proxy/pull/2607) fix(csrf): fix possible infinite loop (@Primexz)
 
 # V7.6.0
 

diff --git a/Dockerfile b/Dockerfile
@@ -37,6 +37,7 @@ RUN case ${TARGETPLATFORM} in \
          # https://github.com/golang/go/wiki/GoArm
          "linux/arm64" | "linux/arm/v8")  GOARCH=arm64  ;; \
          "linux/ppc64le")  GOARCH=ppc64le  ;; \
+         "linux/s390x")  GOARCH=s390x  ;; \
          "linux/arm/v6") GOARCH=arm GOARM=6  ;; \
          "linux/arm/v7") GOARCH=arm GOARM=7 ;; \
     esac && \

diff --git a/MAINTAINERS b/MAINTAINERS
@@ -1,4 +1,5 @@
-Joel Speed <joel.speed@hotmail.co.uk> (@JoelSpeed)
-Nick Meves <gills-vector-0p@icloud.com> (@NickMeves)
-Jan Larwig <jan@larwig.com> (@tuunit)
-Koen van Zuijlen <kvz.public@gmail.com> (@kvanzuijlen)
+Joel Speed <joel@oauth2-proxy.dev> (@JoelSpeed)
+Nick Meves <nick@oauth2-proxy.dev> (@NickMeves)
+Braunson <braunson@oauth2-proxy.dev> (@braunsonm)
+Jan Larwig <jan@oauth2-proxy.dev> (@tuunit)
+Koen van Zuijlen <koen@oauth2-proxy.dev> (@kvanzuijlen)
diff --git a/Makefile b/Makefile
@@ -42,15 +42,15 @@ build: validate-go-version clean $(BINARY)
 $(BINARY):
 	CGO_ENABLED=0 $(GO) build -a -installsuffix cgo -ldflags="-X github.com/oauth2-proxy/oauth2-proxy/v7/pkg/version.VERSION=${VERSION}" -o $@ github.com/oauth2-proxy/oauth2-proxy/v7
 
-DOCKER_BUILD_PLATFORM         ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v7
+DOCKER_BUILD_PLATFORM         ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v7,linux/s390x
 DOCKER_BUILD_RUNTIME_IMAGE    ?= gcr.io/distroless/static:nonroot
 DOCKER_BUILDX_ARGS            ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE} --build-arg VERSION=${VERSION}
 DOCKER_BUILDX                 := docker buildx build ${DOCKER_BUILDX_ARGS} --pull
 DOCKER_BUILDX_X_PLATFORM      := $(DOCKER_BUILDX) --platform ${DOCKER_BUILD_PLATFORM}
 DOCKER_BUILDX_PUSH            := $(DOCKER_BUILDX) --push
 DOCKER_BUILDX_PUSH_X_PLATFORM := $(DOCKER_BUILDX_PUSH) --platform ${DOCKER_BUILD_PLATFORM}
 
-DOCKER_BUILD_PLATFORM_ALPINE         ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6,linux/arm/v7
+DOCKER_BUILD_PLATFORM_ALPINE         ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6,linux/arm/v7,linux/s390x
 DOCKER_BUILD_RUNTIME_IMAGE_ALPINE    ?= alpine:3.20.0
 DOCKER_BUILDX_ARGS_ALPINE            ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE_ALPINE} --build-arg VERSION=${VERSION}
 DOCKER_BUILDX_X_PLATFORM_ALPINE      := docker buildx build ${DOCKER_BUILDX_ARGS_ALPINE} --platform ${DOCKER_BUILD_PLATFORM_ALPINE}
@@ -73,6 +73,7 @@ docker-all: docker
 	$(DOCKER_BUILDX) --platform linux/ppc64le -t $(REGISTRY)/$(REPOSITORY):latest-ppc64le -t $(REGISTRY)/$(REPOSITORY):${VERSION}-ppc64le .
 	$(DOCKER_BUILDX) --platform linux/arm/v6  -t $(REGISTRY)/$(REPOSITORY):latest-armv6   -t $(REGISTRY)/$(REPOSITORY):${VERSION}-armv6 .
 	$(DOCKER_BUILDX) --platform linux/arm/v7  -t $(REGISTRY)/$(REPOSITORY):latest-armv7   -t $(REGISTRY)/$(REPOSITORY):${VERSION}-armv7 .
+	$(DOCKER_BUILDX) --platform linux/s390x   -t $(REGISTRY)/$(REPOSITORY):latest-s390x -t $(REGISTRY)/$(REPOSITORY):${VERSION}-s390x .
 
 .PHONY: docker-push-all
 docker-push-all: docker-push
@@ -81,6 +82,7 @@ docker-push-all: docker-push
 	$(DOCKER_BUILDX_PUSH) --platform linux/ppc64le -t $(REGISTRY)/$(REPOSITORY):latest-ppc64le -t $(REGISTRY)/$(REPOSITORY):${VERSION}-ppc64le .
 	$(DOCKER_BUILDX_PUSH) --platform linux/arm/v6  -t $(REGISTRY)/$(REPOSITORY):latest-armv6   -t $(REGISTRY)/$(REPOSITORY):${VERSION}-armv6 .
 	$(DOCKER_BUILDX_PUSH) --platform linux/arm/v7  -t $(REGISTRY)/$(REPOSITORY):latest-armv7   -t $(REGISTRY)/$(REPOSITORY):${VERSION}-armv7 .
+	$(DOCKER_BUILDX_PUSH) --platform linux/s390x   -t $(REGISTRY)/$(REPOSITORY):latest-s390x -t $(REGISTRY)/$(REPOSITORY):${VERSION}-s390x .
 
 .PHONY: docker-nightly-build
 docker-nightly-build:

diff --git a/README.md b/README.md
@@ -31,9 +31,9 @@ Going forward, all images shall be available at `quay.io/oauth2-proxy/oauth2-pro
     ```
     This will install the binary into `$GOPATH/bin`. Make sure you include `$GOPATH` in your `$PATH`. Otherwise your system won't find binaries installed via `go install`
 
-    c. Using a [Prebuilt Docker Image](https://quay.io/oauth2-proxy/oauth2-proxy) (AMD64, PPC64LE, ARMv6, ARMv7, and ARM64 available)
+    c. Using a [Prebuilt Docker Image](https://quay.io/oauth2-proxy/oauth2-proxy) (AMD64, PPC64LE, S390x, ARMv6, ARMv7, and ARM64 available)
 
-    d. Using a [Pre-Release Nightly Docker Image](https://quay.io/oauth2-proxy/oauth2-proxy-nightly) (AMD64, PPC64LE, ARMv6, ARMv7, and ARM64 available)
+    d. Using a [Pre-Release Nightly Docker Image](https://quay.io/oauth2-proxy/oauth2-proxy-nightly) (AMD64, PPC64LE, S390x, ARMv6, ARMv7, and ARM64 available)
 
     e. Using the official [Kubernetes manifest](https://github.com/oauth2-proxy/manifests) (Helm)
 

diff --git a/contrib/local-environment/docker-compose-alpha-config.yaml b/contrib/local-environment/docker-compose-alpha-config.yaml
@@ -13,6 +13,7 @@
 version: '3.0'
 services:
   oauth2-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.0
     command: --config /oauth2-proxy.cfg --alpha-config /oauth2-proxy-alpha-config.yaml
     volumes:
       - "./oauth2-proxy-alpha-config.cfg:/oauth2-proxy.cfg"

diff --git a/contrib/local-environment/docker-compose-gitea.yaml b/contrib/local-environment/docker-compose-gitea.yaml
@@ -14,7 +14,7 @@ version: '3.0'
 services:
   oauth2-proxy:
     container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.0
     command: --config /oauth2-proxy.cfg
     hostname: oauth2-proxy
     volumes:

diff --git a/contrib/local-environment/docker-compose-keycloak.yaml b/contrib/local-environment/docker-compose-keycloak.yaml
@@ -14,7 +14,7 @@ version: '3.0'
 services:
   oauth2-proxy:
     container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.0
     command: --config /oauth2-proxy.cfg
     hostname: oauth2-proxy
     volumes:

diff --git a/contrib/local-environment/docker-compose-nginx.yaml b/contrib/local-environment/docker-compose-nginx.yaml
@@ -22,13 +22,25 @@
 version: '3.0'
 services:
   oauth2-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.0
     ports: []
     hostname: oauth2-proxy
+    container_name: oauth2-proxy
+    command: --config /oauth2-proxy.cfg
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.0
     volumes:
       - "./oauth2-proxy-nginx.cfg:/oauth2-proxy.cfg"
     networks:
       oauth2-proxy: {}
+      dex: {}
+      etcd: {}
+      httpbin: {}
+    depends_on:
+      - dex
+      - httpbin
   nginx:
+    depends_on:
+      - oauth2-proxy
     container_name: nginx
     image: nginx:1.27
     restart: unless-stopped
@@ -39,6 +51,46 @@ services:
       - "./nginx.conf:/etc/nginx/conf.d/default.conf"
     networks:
       oauth2-proxy: {}
+      dex: {}
+      etcd: {}
       httpbin: {}
+  dex:
+    container_name: dex
+    image: ghcr.io/dexidp/dex:v2.39.0
+    command: dex serve /dex.yaml
+    hostname: dex
+    volumes:
+      - "./dex.yaml:/dex.yaml"
+    restart: unless-stopped
+    ports:
+      - 4190:4190/tcp
+    networks:
+      dex:
+        aliases:
+          - dex.localtest.me
+      etcd: {}
+    depends_on:
+      - etcd
+  httpbin:
+    container_name: httpbin
+    image: kennethreitz/httpbin
+    ports:
+      - 8080:80/tcp
+    networks:
+      httpbin:
+        aliases:
+          - httpbin.localtest.me
+  etcd:
+    container_name: etcd
+    image: gcr.io/etcd-development/etcd:v3.5.13
+    entrypoint: /usr/local/bin/etcd
+    command:
+      - --listen-client-urls=http://0.0.0.0:2379
+      - --advertise-client-urls=http://etcd:2379
+    networks:
+      etcd: {}
 networks:
+  dex: {}
+  etcd: {}
+  httpbin: {}
   oauth2-proxy: {}
diff --git a/contrib/local-environment/docker-compose-traefik.yaml b/contrib/local-environment/docker-compose-traefik.yaml
@@ -23,6 +23,7 @@ version: '3.0'
 services:
 
   oauth2-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.0
     ports: []
     hostname: oauth2-proxy
     volumes:

diff --git a/contrib/local-environment/docker-compose.yaml b/contrib/local-environment/docker-compose.yaml
@@ -13,7 +13,7 @@ version: '3.0'
 services:
   oauth2-proxy:
     container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.0
     command: --config /oauth2-proxy.cfg
     hostname: oauth2-proxy
     volumes:

diff --git a/dist.sh b/dist.sh
@@ -16,6 +16,7 @@ ARCHS=(
   linux-armv6
   linux-armv7
   linux-ppc64le
+  linux-s390x
   freebsd-amd64
   windows-amd64
 )

diff --git a/docs/.gitignore b/docs/.gitignore
@@ -1,5 +1,8 @@
 # Dependencies
 /node_modules
+package-lock.json
+pnpm-lock.yaml
+yarn.lock
 
 # Production
 /build

diff --git a/docs/docs/community/contribution.md b/docs/docs/community/contribution.md
@@ -15,7 +15,7 @@ We suggest using [Visual Studio Code](https://code.visualstudio.com/docs/languag
 
 # Go version
 
-This project is currently still using go 1.19. You can follow the installation guide for go [here.](https://go.dev/doc/install) And you can find go version 1.19 in the archived section [here.](https://go.dev/dl/)
+This project is currently still using go 1.22. You can follow the installation guide for go [here.](https://go.dev/doc/install) And you can find go version 1.22 in the archived section [here.](https://go.dev/dl/)
 
 # Preparing your fork
 Clone your fork, create a feature branch and update the depedencies to get started.
@@ -44,7 +44,7 @@ For starting oauth2-proxy locally open the debugging tab and create the `launch.
             "program": "${workspaceFolder}",
             "args": [
                 "--config",
-                // The following configuration contains settings for a locally deployed 
+                // The following configuration contains settings for a locally deployed
                 // upstream and dex as an idetity provider
                 "contrib/local-environment/oauth2-proxy.cfg"
             ]
@@ -57,7 +57,7 @@ For starting oauth2-proxy locally open the debugging tab and create the `launch.
             "program": "${workspaceFolder}",
             "args": [
                 "--config",
-                // The following configuration contains settings for a locally deployed 
+                // The following configuration contains settings for a locally deployed
                 // upstream and keycloak as an idetity provider
                 "contrib/local-environment/oauth2-proxy-keycloak.cfg"
             ]

diff --git a/docs/docs/configuration/alpha_config.md b/docs/docs/configuration/alpha_config.md
@@ -525,7 +525,7 @@ Requests will be proxied to this upstream if the path matches the request path.
 | ----- | ---- | ----------- |
 | `id` | _string_ | ID should be a unique identifier for the upstream.<br/>This value is required for all upstreams. |
 | `path` | _string_ | Path is used to map requests to the upstream server.<br/>The closest match will take precedence and all Paths must be unique.<br/>Path can also take a pattern when used with RewriteTarget.<br/>Path segments can be captured and matched using regular experessions.<br/>Eg:<br/>- `^/foo$`: Match only the explicit path `/foo`<br/>- `^/bar/$`: Match any path prefixed with `/bar/`<br/>- `^/baz/(.*)$`: Match any path prefixed with `/baz` and capture the remaining path for use with RewriteTarget |
-| `rewriteTarget` | _string_ | RewriteTarget allows users to rewrite the request path before it is sent to<br/>the upstream server.<br/>Use the Path to capture segments for reuse within the rewrite target.<br/>Eg: With a Path of `^/baz/(.*)`, a RewriteTarget of `/foo/$1` would rewrite<br/>the request `/baz/abc/123` to `/foo/abc/123` before proxying to the<br/>upstream server. |
+| `rewriteTarget` | _string_ | RewriteTarget allows users to rewrite the request path before it is sent to<br/>the upstream server (for an HTTP/HTTPS upstream) or mapped to the filesystem<br/>(for a `file:` upstream).<br/>Use the Path to capture segments for reuse within the rewrite target.<br/>Eg: With a Path of `^/baz/(.*)`, a RewriteTarget of `/foo/$1` would rewrite<br/>the request `/baz/abc/123` to `/foo/abc/123` before proxying to the<br/>upstream server.  Or if the upstream were `file:///app`, a request for<br/>`/baz/info.html` would return the contents of the file `/app/foo/info.html`. |
 | `uri` | _string_ | The URI of the upstream server. This may be an HTTP(S) server of a File<br/>based URL. It may include a path, in which case all requests will be served<br/>under that path.<br/>Eg:<br/>- http://localhost:8080<br/>- https://service.localhost<br/>- https://service.localhost/path<br/>- file://host/path<br/>If the URI's path is "/base" and the incoming request was for "/dir",<br/>the upstream request will be for "/base/dir". |
 | `insecureSkipTLSVerify` | _bool_ | InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br/>This option is insecure and will allow potential Man-In-The-Middle attacks<br/>between OAuth2 Proxy and the upstream server.<br/>Defaults to false. |
 | `static` | _bool_ | Static will make all requests to this upstream have a static response.<br/>The response will have a body of "Authenticated" and a response code<br/>matching StaticCode.<br/>If StaticCode is not set, the response will return a 200 response. |