diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 0000000000..321e663ec2 --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,23 @@ +version: 2.1 +orbs: + docker: circleci/docker@1.5.0 + bot: lifen/bot@0 # locked on major version + +workflows: + build: + jobs: + - docker/hadolint: + dockerfiles: Dockerfile + # DL3006: Always tag the version of an image explicitly + # SC2059 : Don't use variables in the printf format string. Use printf '..%s..' "$foo" + ignore-rules: 'DL3006,SC2059' + - bot/docker-build-and-push: + name: build-ci-docker-image + context: org-global + dockerTag: $CIRCLE_SHA1 + requires: + - docker/hadolint + filters: + branches: + only: + - "master" diff --git a/.github/labeler.yml b/.github/labeler.yml deleted file mode 100644 index 6d627b9dec..0000000000 --- a/.github/labeler.yml +++ /dev/null @@ -1,35 +0,0 @@ -go: - - changed-files: - - any-glob-to-any-file: - - '**/*.go' - -docs: - - changed-files: - - any-glob-to-any-file: - - '**/*.md' - -changelog: - - changed-files: - - any-glob-to-any-file: - - 'CHAGELOG.md' - -tests: - - changed-files: - - any-glob-to-any-file: - - '**/*_test.go' - -provider: - - changed-files: - - any-glob-to-any-file: - - 'providers/**/*' - -dependencies: -- changed-files: - - any-glob-to-any-file: - - 'go.mod' - - 'go.sum' - -docker: - - changed-files: - - any-glob-to-any-file: - - '**/Dockerfile' diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml deleted file mode 100644 index 14926eb3fa..0000000000 --- a/.github/workflows/ci.yaml +++ /dev/null @@ -1,75 +0,0 @@ -name: Continuous Integration - -on: - push: - branches: - - '**' - # - $default-branch - pull_request: - branches: - - '**' - # - $default-branch - -jobs: - build: - env: - COVER: true - runs-on: ubuntu-latest - steps: - - - name: Check out code - uses: actions/checkout@v4 - - - name: Set up Go - uses: actions/setup-go@v5 - with: - # renovate: datasource=golang-version depName=golang - go-version: 1.22.4 - id: go - - - name: Get dependencies - env: - # renovate: datasource=github-tags depName=golangci/golangci-lint - GOLANGCI_LINT_VERSION: v1.55.2 - # renovate: datasource=github-tags depName=codeclimate/test-reporter - CODECLIMATE_VERSION: v1.0.1 - run: | - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION} - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-${CODECLIMATE_VERSION#v}-linux-amd64 > ./cc-test-reporter - chmod +x ./cc-test-reporter - - - name: Verify Code Generation - run: | - make verify-generate - - - name: Lint - run: | - make lint - - - name: Build - run: | - make build - - - name: Test - env: - CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }} - run: | - ./.github/workflows/test.sh - - docker: - runs-on: ubuntu-latest - steps: - - - name: Check out code - uses: actions/checkout@v4 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - - name: Docker Build - run: | - make docker diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 021affae3c..0000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: "Code scanning - action" - -on: - push: - branches: [master, ] - pull_request: - # The branches below must be a subset of the branches above - branches: [master] - schedule: - - cron: '0 15 * * 2' - -jobs: - CodeQL-Build: - - strategy: - fail-fast: false - - # CodeQL runs on ubuntu-latest and windows-latest - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - # We must fetch at least the immediate parents so that if this is - # a pull request then we can checkout the head. - fetch-depth: 2 - - # If this run was triggered by a pull request event, then checkout - # the head of the pull request instead of the merge commit. - - run: git checkout HEAD^2 - if: ${{ github.event_name == 'pull_request' }} - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: go - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml deleted file mode 100644 index 2976a5149e..0000000000 --- a/.github/workflows/create-release.yml +++ /dev/null @@ -1,117 +0,0 @@ -name: Create Release -run-name: Create release ${{ inputs.version }} - -on: - workflow_dispatch: - inputs: - version: - description: 'Version for new release' - required: true - -permissions: - contents: write - pull-requests: write - -jobs: - release: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - ref: master - fetch-depth: 0 - fetch-tags: true - - - name: Validate version - id: validate - run: | - function ver { printf "%03d%03d%03d%03d" $(echo "$1" | tr '.' ' '); } - - NEW_VERSION=${{ inputs.version }} - NEW_VERSION=${NEW_VERSION#v} # Remove v prefix - - LATEST_VERSION=$(git describe --abbrev=0 --tags) - LATEST_VERSION=${LATEST_VERSION#v} # Remove v prefix - - # check that new version can be parsed - if [ ! $(ver $NEW_VERSION ) -gt $(ver 0) ]; then - echo "::error::Entered version '${{ inputs.version }}' cannot be parsed" - exit 1 - fi - - # check version continuity - if [ ! $(ver $LATEST_VERSION) -lt $(ver $NEW_VERSION) ]; then - echo "::error::Entered version '${{ inputs.version }}' is smaller then latest version $LATEST_VERSION" - exit 1 - fi - - echo "version=${NEW_VERSION}" >> "$GITHUB_OUTPUT" - - - name: Prepare Github Actions Bot - run: | - git config --local user.name "github-actions[bot]" - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - - - name: Setup node - uses: actions/setup-node@v4 - with: - node-version-file: docs/package.json - - - name: Update documentation - run: | - cd docs - - FULL_VERSION=${{ steps.validate.outputs.version }} - VERSION=${FULL_VERSION%.*}.x - - if [ ! -d "versioned_docs/version-${VERSION}" ]; then - npm ci - npm run docusaurus docs:version ${VERSION} - - git add . - git commit -m "add new docs version ${VERSION}" - fi - - sed -i "s/(current release is .*)/(current release is \`v${FULL_VERSION}\`)/g" docs/installation.md - sed -i "s/(current release is .*)/(current release is \`v${FULL_VERSION}\`)/g" versioned_docs/version-${VERSION}/installation.md - - - name: Update Changelog - run: | - VERSION=${{ steps.validate.outputs.version }} - - sed -i "s/#.*(Pre-release)/# V${VERSION}/g" CHANGELOG.md - - cat << EOF > /tmp/CHANGELOG.prepend - # Vx.x.x (Pre-release) - - ## Release Highlights - - ## Important Notes - - ## Breaking Changes - EOF - - echo -e "$(cat /tmp/CHANGELOG.prepend)\n\n$(cat CHANGELOG.md)" > CHANGELOG.md - - - name: Update development files - run: | - VERSION=${{ steps.validate.outputs.version }} - cd contrib - grep -rl "quay.io/oauth2-proxy/oauth2-proxy:" | \ - xargs sed -i "s#quay.io/oauth2-proxy/oauth2-proxy:v[0-9]\+\.[0-9]\+\.[0-9]\+#quay.io/oauth2-proxy/oauth2-proxy:v${VERSION}#g" - - - name: Commit and push - run: | - VERSION=${{ steps.validate.outputs.version }} - - git checkout -b release/v${VERSION} - git commit -am "update to release version v${VERSION}" - git push -u origin release/v${VERSION} - - - name: Create PR - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - VERSION=v${{ steps.validate.outputs.version }} - gh pr create -B master -H release/${VERSION} --title "release ${VERSION}" --body "Release branch and changes created by GitHub Actions. This PR should include changes to the docs, CHANGELOG and local environment files." diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml deleted file mode 100644 index 1833e0d4b9..0000000000 --- a/.github/workflows/docs.yaml +++ /dev/null @@ -1,70 +0,0 @@ -name: documentation - -on: - pull_request: - branches: [master] - paths: ['docs/**'] - push: - branches: [master] - paths: ['docs/**'] - workflow_dispatch: - -jobs: - pull-request-check: - if: github.event_name == 'pull_request' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Setup Pages - id: pages - uses: actions/configure-pages@v5 - - - uses: actions/setup-node@v4 - with: - # renovate: datasource=node-version depName=node - node-version: 20 - cache: npm - cache-dependency-path: "./docs/package-lock.json" - - - name: Test Build - working-directory: ./docs - run: | - npm ci - npm run build - - build-docs: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-node@v4 - with: - # renovate: datasource=node-version depName=node - node-version: 20 - - - name: Build docusaurus - working-directory: ./docs - run: | - npm ci - npm run build - - - name: Upload artifact - uses: actions/upload-pages-artifact@v3 - with: - path: ./docs/build - - deploy-docs: - needs: build-docs - runs-on: ubuntu-latest - permissions: - pages: write # to deploy to Pages - id-token: write # to verify the deployment originates from an appropriate source - environment: - name: github-pages - url: ${{ steps.deployment.outputs.page_url }} - steps: - - name: Deploy to GitHub Pages - id: deployment - uses: actions/deploy-pages@v4 diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml deleted file mode 100644 index b3e8543821..0000000000 --- a/.github/workflows/labeler.yaml +++ /dev/null @@ -1,15 +0,0 @@ -name: "Pull Request Labeler" -on: - pull_request_target: - -jobs: - triage: - permissions: - contents: read - pull-requests: write - runs-on: ubuntu-latest - steps: - - uses: actions/labeler@v5 - with: - sync-labels: true - dot: true diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml deleted file mode 100644 index 9693ba3e7b..0000000000 --- a/.github/workflows/nightly.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: Nightly builds - -on: - schedule: # Run every day at 03:00 UTC - - cron: '0 3 * * *' - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - # only run this build in the main repository, not in forks - if: github.repository == 'oauth2-proxy/oauth2-proxy' - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - ref: master - fetch-depth: 0 - fetch-tags: true - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to quay.io - uses: docker/login-action@v3 - with: - registry: quay.io/oauth2-proxy - username: ${{ secrets.REGISTRY_USERNAME_NIGHTLY }} - password: ${{ secrets.REGISTRY_PASSWORD_NIGHTLY }} - - - name: Build images - run: | - make docker-nightly-build - - - name: Push images - run: | - make docker-nightly-push diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml deleted file mode 100644 index 7d6447164f..0000000000 --- a/.github/workflows/publish-release.yml +++ /dev/null @@ -1,128 +0,0 @@ -name: Publish Release -run-name: ${{ github.event.pull_request.head.ref }} - -on: - pull_request_target: - branches: - - master - types: - - closed - -permissions: - contents: write - pull-requests: write - -jobs: - publish: - if: github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/') - runs-on: ubuntu-latest - outputs: - tag: ${{ steps.tag.outputs.version }} - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.merge_commit_sha }} - fetch-depth: 0 - fetch-tags: true - - - name: Tag release - run: | - # Set up github-actions[bot] user - git config --local user.name "github-actions[bot]" - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - - # Get the version from the branch name - branch="${{ github.event.pull_request.head.ref }}" - version="${branch#release/}" - echo ${version} - - # Tag and create release - git tag -a "${version}" -m "Release ${version}" - echo "version=${version}" >> $GITHUB_OUTPUT - id: tag - - - name: Set up go - uses: actions/setup-go@v5 - with: - go-version-file: go.mod - - - name: Get dependencies - env: - GOLANGCI_LINT_VERSION: v1.55.2 - run: | - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION} - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter - chmod +x ./cc-test-reporter - - # Install go dependencies - go mod download - - - name: Build Artifacts - run: make release - - # Upload artifacts in case of workflow failure - - name: Upload Artifacts - uses: actions/upload-artifact@v4 - with: - name: oauth2-proxy-artifacts - path: | - release/*.tar.gz - release/*.txt - - - name: Create release - env: - GH_TOKEN: ${{ github.token }} - run: | - # Get version from tag - version=$(git describe --tags --abbrev=0) - - # Extract CHANGELOG - numericVersion="${version#v}" - notes=$(sed -E "/^# (v|V)$numericVersion$/,/^# (v|V)/!d;//d" CHANGELOG.md) - - # Publish release tag - git push origin "${version}" - - # Create github release - gh release create "${version}" \ - --title "${version}" \ - --notes "${notes}" \ - --prerelease - - # Upload artifacts - gh release upload "${version}" release/*.tar.gz - gh release upload "${version}" release/*.txt - - docker: - needs: publish - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - ref: ${{ needs.publish.outputs.tag }} - fetch-depth: 0 - fetch-tags: true - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to quay.io - uses: docker/login-action@v3 - with: - registry: quay.io/oauth2-proxy - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_PASSWORD }} - - - name: Build images - run: | - make docker-all - - - name: Push images - run: | - make docker-push-all diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml deleted file mode 100644 index 5df173b155..0000000000 --- a/.github/workflows/stale.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Mark stale issues and pull requests - -on: - schedule: - - cron: "0 0 * * *" - -jobs: - stale: - - runs-on: ubuntu-latest - - steps: - - uses: actions/stale@v9 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-issue-message: 'This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.' - stale-pr-message: 'This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.' diff --git a/.github/workflows/test.sh b/.github/workflows/test.sh deleted file mode 100755 index d1a1218296..0000000000 --- a/.github/workflows/test.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# manually exiting from script, because after-build needs to run always -set +e - -if [ -z $CC_TEST_REPORTER_ID ]; then - echo "1. CC_TEST_REPORTER_ID is unset, skipping" -else - echo "1. Running before-build" - ./cc-test-reporter before-build -fi - -echo "2. Running test" -make test -TEST_STATUS=$? - -if [ -z $CC_TEST_REPORTER_ID ]; then - echo "3. CC_TEST_REPORTER_ID is unset, skipping" -else - echo "3. Running after-build" - ./cc-test-reporter after-build --exit-code $TEST_STATUS --prefix $(go list -m) -fi - -if [ "$TEST_STATUS" -ne 0 ]; then - echo "Test failed, status code: $TEST_STATUS" - exit $TEST_STATUS -fi diff --git a/oauthproxy.go b/oauthproxy.go index 5a237eadc6..bb053a7e8f 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -886,6 +886,11 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) { err = p.enrichSessionState(req.Context(), session) if err != nil { + if err.Error() == "user is missing required team" { + logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authentication via OAuth2: unauthorized. User is missing required team") + p.ErrorPage(rw, req, http.StatusForbidden, "Invalid authentication: user is missing required team") + return + } logger.Errorf("Error creating session during OAuth2 callback: %v", err) p.ErrorPage(rw, req, http.StatusInternalServerError, err.Error()) return