Merge branch 'main' of https://github.com/hashicorp/cap into saml-lib

hashicorp · Sep 21, 2023 · c4603a1 · c4603a1
2 parents e0aaca8 + 899e3f8
commit c4603a1
Show file tree

Hide file tree

Showing 83 changed files with 1,958 additions and 858 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -39,11 +39,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
@@ -0,0 +1,16 @@
+name: Go fuzz test
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+jobs:
+  fuzz-lexer-test:
+    name: Fuzz escapeValue(...) test
+    runs-on: ubuntu-latest
+    steps:
+        # commit hash == v1.2.0
+      - uses: jidicula/go-fuzz-action@4f24eed45b25214f31a9fe035ca68ea2c88c6a13
+        with:
+          fuzz-time: 30s
+          fuzz-regexp: Fuzz_EscapeValue
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -2,53 +2,55 @@ name: Go
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
-    branches: [ main ]
+    branches: [main]
 
 jobs:
-
   build:
     name: Build
-    runs-on: ubuntu-latest
-    steps:
-
-    - name: Set up Go 1.x
-      uses: actions/setup-go@v2
-      with:
-        go-version: ^1.13
-
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+    strategy:
+      fail-fast: true
+      matrix:
+        go: ["1.20", "1.19", "1.18"]
+        platform: [ubuntu-latest] # can not run in windows OS
+    runs-on: ${{ matrix.platform }}
 
-    - name: Get dependencies
-      run: |
-        go get -v -t -d ./...
-        if [ -f Gopkg.toml ]; then
-            curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
-            dep ensure
-        fi
-
-    - name: Build
-      run: |
-        set -e
-        exit_status=
-        for f in $(find . -name go.mod)
-        do
-          pushd $(dirname $f) > /dev/null
-          go build ./... || exit_status=$?
-          popd > /dev/null
-        done
-        exit $status
-
-    - name: Test
-      run: |
-        set -e
-        exit_status=
-        for f in $(find . -name go.mod)
-        do
-          pushd $(dirname $f) > /dev/null
-          go test -test.v ./... || exit_status=$?
-          popd > /dev/null
-        done
-        exit $exit_status
+    steps:
+      - name: Set up Go 1.x
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        with:
+          go-version: ${{ matrix.go }}
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+
+      - name: go mod package cache
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ matrix.go }}-${{ hashFiles('tests/go.mod') }}
+
+      - name: Build
+        run: |
+          set -e
+          exit_status=
+          for f in $(find . -name go.mod)
+          do
+            pushd $(dirname $f) > /dev/null
+            go build ./... || exit_status=$?
+            popd > /dev/null
+          done
+          exit $status
+
+      - name: Test
+        run: |
+          set -e
+          exit_status=
+          for f in $(find . -name go.mod)
+          do
+            pushd $(dirname $f) > /dev/null
+            go test -test.v ./... || exit_status=$?
+            popd > /dev/null
+          done
+          exit $exit_status
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,7 +4,58 @@ Canonical reference for changes, improvements, and bugfixes for cap.
 
 ## Next
 
-* Add Validator `ValidateAllowMissingIatNbfExp` method to allow all of iat/nbf/exp to be missing.
+* LDAP
+  * Add worker pool for LDAP token group lookups ([**PR**](https://github.com/hashicorp/cap/pull/98))
+
+## 0.3.4
+
+### Bug fixes
+
+* OIDC/examples/cli
+  * Use free port if OIDC_PORT is not set for the example ([**PR**](https://github.com/hashicorp/cap/pull/79))
+
+
+## 0.3.3
+### Bug fixes:
+* LDAP
+  * A more compete fix for `escapeValue(...)` and we've stopped exporting it ([**PR**](https://github.com/hashicorp/cap/pull/78))
+## 0.3.2
+
+### Bug fixes:
+* Address a set of LDAP issues ([**PR**](https://github.com/hashicorp/cap/pull/77)):
+  * Properly escape user filters when using UPN domains
+  * Increase max tls to 1.3
+  * Improve `EscapeValue(...)`
+  * Use text template for rendering filters
+
+## 0.3.1
+
+### Bug Fixes
+* Fixes integer overflow in `auth_time` claim validation when compiled for 32-bit 
+  architecture ([**PR**](https://github.com/hashicorp/cap/pull/76))
+
+## 0.3.0
+#### OIDC
+* Add `ProviderConfig` which creates a provider that doesn't support
+  OIDC discovery. It's probably better to use NewProvider(...) with discovery
+  whenever possible ([**PR**](https://github.com/hashicorp/cap/pull/57) and [issue](https://github.com/hashicorp/cap/issues/55)).
+* Improve WSL detection ([**PR**](https://github.com/hashicorp/cap/pull/51))
+* Add option to allow all of IAT, NBF, and EXP to be missing
+  ([**PR**](https://github.com/hashicorp/cap/pull/50))
+* Validate sub and aud are present in an id_token ([**PR**](https://github.com/hashicorp/cap/pull/48))
+
+#### LDAP
+* Add better (more consistent) timeouts ([**PR**](https://github.com/hashicorp/cap/pull/61))
+* Add better error msgs on failed search queries ([**PR**](https://github.com/hashicorp/cap/pull/60))
+* Add new config fields for including/excluding user attrs ([**PR**](https://github.com/hashicorp/cap/pull/59))
+* Add `WithUserAttributes(...)` option to the ldap package that allows callers
+  to request that attributes be returned for the authenticating user ([**PR**](https://github.com/hashicorp/cap/pull/58))
+
+
+
+## 0.2.0 (2022/04/08)
+* Add support for LDAP/AD authentication ([**PR**](https://github.com/hashicorp/cap/pull/47))
+
 
 ## 0.1.1 (2021/06/24)
 

diff --git a/LICENSE b/LICENSE
@@ -1,3 +1,5 @@
+Copyright (c) 2020 HashiCorp, Inc.
+
 Mozilla Public License, version 2.0
 
 1. Definitions

diff --git a/docs.go b/docs.go
@@ -1,3 +1,6 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
 // cap (collection of authentication packages) provides a collection of related
 // packages which enable support for OIDC, JWT Verification, and Distributed Claims.
 //

diff --git a/docs_test.go b/docs_test.go
@@ -1,3 +1,6 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
 package cap_test
 
 import (

diff --git a/go.mod b/go.mod
@@ -1,26 +1,32 @@
 module github.com/hashicorp/cap
 
-go 1.15
+go 1.20
 
 require (
-	github.com/coreos/go-oidc/v3 v3.1.0
-	github.com/fatih/color v1.13.0 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/coreos/go-oidc/v3 v3.5.0
+	github.com/go-jose/go-jose/v3 v3.0.0
 	github.com/hashicorp/go-cleanhttp v0.5.2
-	github.com/hashicorp/go-hclog v1.0.0
+	github.com/hashicorp/go-hclog v1.4.0
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-uuid v1.0.2
-	github.com/mattn/go-colorable v0.1.12 // indirect
-	github.com/stretchr/testify v1.7.0
+	github.com/hashicorp/go-uuid v1.0.3
+	github.com/stretchr/testify v1.8.1
 	github.com/yhat/scrape v0.0.0-20161128144610-24b7890b0945
-	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 // indirect
-	golang.org/x/net v0.0.0-20211216030914-fe4d6282115f
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
-	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
-	golang.org/x/text v0.3.7
+	golang.org/x/net v0.7.0
+	golang.org/x/oauth2 v0.5.0
+	golang.org/x/text v0.7.0
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fatih/color v1.14.1 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	golang.org/x/crypto v0.6.0 // indirect
+	golang.org/x/sys v0.5.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.27.1 // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )