Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Code complete for January #4

Open
wants to merge 122 commits into
base: master
Choose a base branch
from
Open

Code complete for January #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
122 commits
Select commit Hold shift + click to select a range
1760d0a
Add Wire authz and challenges (OIDC+DPOP)
stefanwire Dec 8, 2022
c01f748
adapt Github actions
stefanwire Jan 2, 2023
63ec8fc
add Helm charts
stefanwire Jan 13, 2023
5603e13
update wire challenges' status on happy end
stefanwire Jan 31, 2023
66d853e
add debugging code
stefanwire Feb 1, 2023
5f5b556
simplify OIDC verification
stefanwire Feb 1, 2023
7e7589d
log errors
beltram Feb 1, 2023
77f8101
log a missing error
beltram Feb 2, 2023
b8e938b
use json struct for challenge request payload otherwise it's a hell t…
beltram Feb 2, 2023
e41bc39
acquire DPoP signing key from provisioner
stefanwire Feb 2, 2023
b6019ae
better observability
beltram Feb 2, 2023
582e029
avoid panic when OIDC config is not provided
stefanwire Feb 2, 2023
da357eb
fixup! add Helm charts
stefanwire Feb 2, 2023
e30e6d1
print oidc options
beltram Feb 2, 2023
7d3fa20
print nested error
beltram Feb 2, 2023
2c932cf
print dpop sign key
beltram Feb 3, 2023
19cc522
fix: challenge is '.token' and not '.id'
beltram Feb 3, 2023
6de2831
temp: use rusty-jwt-tools test branch
beltram Feb 3, 2023
53f9af5
print cli stdout
beltram Feb 3, 2023
6929acb
debug output
stefanwire Feb 6, 2023
befc378
fix hash algorithm passed to cli
beltram Feb 6, 2023
669c74c
avoid manipulating the key PEM format and take a plain PEM key as input
beltram Feb 6, 2023
b3e8cd9
print oidc claims
beltram Feb 6, 2023
869074b
print keyauth
beltram Feb 6, 2023
e3ee0d7
debug KeyAuthorization
beltram Feb 7, 2023
cfd240c
debug oidc claims validation
beltram Feb 7, 2023
9b994cc
cleanup some panicking debugs
beltram Feb 7, 2023
5a2f5b6
debug csr org validation
beltram Feb 7, 2023
5d3d660
fix csr org validation in finalize
beltram Feb 7, 2023
7b1f61a
fix csr domain validation in finalize
beltram Feb 7, 2023
3f42e0d
(finalize) have both display name & domain in SANs
beltram Feb 8, 2023
40f56b4
fix orderNames size
beltram Feb 8, 2023
68a0bca
cleanup my mess
beltram Feb 8, 2023
0a7aa34
fix san validation
beltram Feb 9, 2023
8fa3800
change uri prefix to impp:wireapp=
beltram Feb 9, 2023
7799a4d
debug space in display name
beltram Feb 9, 2023
82c2ae5
wtf
beltram Feb 9, 2023
a7b76b0
wtf part(2)
beltram Feb 9, 2023
a261aea
skip empty entries for uniqueSortedLowerNames
stefanwire Feb 9, 2023
1bdc315
cleanup
beltram Feb 9, 2023
dbcb729
build: build docker image from rusty-jwt-tools main branch
beltram Feb 10, 2023
9446723
feat: adapt to dex and pass the 'keyauth' in payload instead of in id…
beltram Feb 23, 2023
238d235
error logging is back (as it should always be)
beltram Feb 24, 2023
d2a96c0
log the sub error
beltram Feb 24, 2023
93c3545
feat: change from impp prefix to just im
beltram Mar 6, 2023
d26f747
build rusty-jwt-tools from dex branch
beltram Mar 6, 2023
af65dc4
fix: exclude displayName from SAN DNS
beltram Mar 7, 2023
9138ff5
remove displayName validation, potentially harmful
beltram Mar 8, 2023
800d832
forward displayName in CSR with custom OID
beltram Mar 8, 2023
472cad1
upgrade dependencies
stefanwire Mar 22, 2023
2a354cd
try using google oidc for demo purpose
beltram Mar 28, 2023
9d6085f
dbg google oidc challenge claims matching
beltram Mar 29, 2023
9d80a1f
fix google id token matching in oidc challenge
beltram Mar 29, 2023
24ba504
infer domain from google email address
beltram Mar 29, 2023
336d0e0
dbg again
beltram Mar 29, 2023
22e8821
debounce logs
beltram Mar 29, 2023
d3d2714
adapt google demo for wire's special handle format "{firstname}_wire"
beltram Mar 30, 2023
bc4f20c
add logs again
beltram Apr 3, 2023
675c9d9
fix: add URI prefix to handle
beltram Apr 3, 2023
5460c46
fix: do not convert URIs to lowercase for comparison purpose
beltram Apr 4, 2023
5ee4690
wip
beltram May 3, 2023
f806c58
fix: challenge target field was not mapped to db entity
beltram May 4, 2023
c162a78
dbg target computation
beltram May 4, 2023
5930e94
add oidc target
beltram May 4, 2023
c10f0c2
simpler
beltram May 4, 2023
feaed30
passing expected issuer to rusty-jwt-cli
beltram May 4, 2023
aa710b5
remove logs
beltram May 5, 2023
1ad662a
remove custom rusty-jwt-tools branch for building cli
beltram May 5, 2023
537984b
Replace field access by accessor functions
stefanwire May 5, 2023
e8ffd84
Reorganize parsing target
stefanwire May 5, 2023
972560b
reintroduce custom rusty-jwt-tools branch to test a thing
beltram May 5, 2023
fe036bf
dbg issuer in dpop challenge
beltram May 5, 2023
1e1ba74
fix deviceId computing in dpop challenge
beltram May 5, 2023
5a06603
Merge pull request #2 from wireapp/feat/target-htu
beltram May 10, 2023
b8284f0
trying to pass access token to template
beltram May 12, 2023
04983b9
remove custom rusty-jwt-tools branch
beltram May 12, 2023
cb22af5
try silencing template data for dichotomies
beltram May 15, 2023
9fc0c39
try the dummiest example
beltram May 15, 2023
77a65b6
try another way
beltram May 15, 2023
1dd58d0
try another way (2)
beltram May 15, 2023
2e02f92
try by storing everything in db
beltram May 16, 2023
f009b66
dbg some stuffs
beltram May 16, 2023
3decbfb
dbg account id
beltram May 17, 2023
938a349
have updateOrder also update the update joint table [order by account]
beltram May 17, 2023
89bf043
at that point, log the whole universe and pray to figure something out
beltram May 17, 2023
7358854
log more things
beltram May 22, 2023
23c5c44
cheat by allowing also looking up for ready orders
beltram May 22, 2023
4f5e0f4
wip
beltram May 22, 2023
308ecff
logs to understand dpop db
beltram May 22, 2023
d3d4215
fix dpop token json serialization to db
beltram May 22, 2023
868ffd7
more logs
beltram May 22, 2023
dd6389f
i'm tired
beltram May 22, 2023
3d447d8
remove logs
beltram May 22, 2023
e85f184
support for oidc id token
beltram May 22, 2023
a43b0b7
fix: verify custom display_name extension is present
beltram May 23, 2023
418c811
fix: PR review
beltram May 26, 2023
ae63ff7
fix: invalid OID for display name in CSR
beltram Jun 6, 2023
024147f
fix: access token verification in DPoP challenge. Was previously veri…
beltram Jul 28, 2023
06e08cc
client jwk was there the whole time
beltram Jul 28, 2023
e85903a
print kid for debugging
beltram Jul 28, 2023
644188a
b64 encode the kid since apparently it wasn't
beltram Jul 28, 2023
1d99127
fix: use the correct userId format
beltram Jul 31, 2023
c0bde61
feat: use latest rusty-jwt-tools branch & verify dpop token api-version
beltram Aug 29, 2023
52b2396
fix: could not reuse a signing key otherwise it would create in accou…
beltram Sep 12, 2023
5cb200f
fix: oups
beltram Sep 12, 2023
e92a173
fix: same issue as with oidc challenge
beltram Sep 12, 2023
5eb51a0
fix: add cors headers
beltram Nov 7, 2023
0f480cb
Use R3 root cert in smallstep Docker image
rohan-wire Nov 16, 2023
7a59cee
feat: remove custom hardcoded OIDC challenge for Google
beltram Nov 20, 2023
c5ababc
Merge pull request #5 from wireapp/rohan/docker-r3-cert
rohan-wire Nov 21, 2023
ee2a2e0
feat: update the protocol by including team & handle in the client dp…
beltram Nov 22, 2023
cf76821
build: try fixing chmod issue in docker build
beltram Nov 22, 2023
2248ae7
build: disable chmod on r3.crt. Need to come back at it later
beltram Nov 22, 2023
d93fbbc
feat: remove query parameters from OIDC issuerUrl so that it allows u…
beltram Dec 15, 2023
7366934
build: cleanup docker build
beltram Dec 15, 2023
1b3b925
feat: try using the new ClientId & Handle format (i.e. plain URIs)
beltram Jan 2, 2024
260228f
chore: use correct rusty-jwt-tools branch with latest client-id changes
beltram Jan 2, 2024
d9b822f
dbg
beltram Jan 2, 2024
527b131
feat: change the separator between user-id & device-id in a client-id…
beltram Jan 5, 2024
e25e8f3
fix: keyauth was not bound to the id token
beltram Jan 9, 2024
6e5533c
inverting oidc claims name & handle just for testing Keycloak, DO NOT…
beltram Jan 15, 2024
aa0085a
remove rusty-jwt-tools branch
beltram Jan 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 28 additions & 9 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,38 @@ on:
- "master"
pull_request:
workflow_call:
secrets:
CODECOV_TOKEN:
required: true

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

jobs:
ci:
uses: smallstep/workflows/.github/workflows/goCI.yml@main
with:
os-dependencies: "libpcsclite-dev"
run-gitleaks: true
run-codeql: true
secrets: inherit
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@v3
- name: Install OS dependencies
run: |
sudo apt-get update && sudo apt-get install -y libpcsclite-dev
- name: Install Go
uses: actions/setup-go@v3
with:
go-version: 1.19
check-latest: true
cache: true
# - name: Configure Linter
# run: |
# curl -LO https://raw.githubusercontent.com/smallstep/workflows/master/.golangci.yml
# - name: Lint
# uses: golangci/golangci-lint-action@v3
# with:
# version: v1.50
# args: --timeout=30m
# skip-pkg-cache: true
# - name: Test
# run: |
# go test ./...
- name: Build
run: |
go build cmd/step-ca/main.go
9 changes: 0 additions & 9 deletions .github/workflows/code-scan-cron.yml
View file
Open in desktop

This file was deleted.

74 changes: 19 additions & 55 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,14 @@ on:

jobs:
ci:
uses: smallstep/certificates/.github/workflows/ci.yml@master
secrets: inherit
uses: ./.github/workflows/ci.yml

create_release:
name: Create Release
needs: ci
runs-on: ubuntu-latest
env:
DOCKER_IMAGE: smallstep/step-ca
DOCKER_IMAGE: quay.io/wire/smallstep-acme
outputs:
version: ${{ steps.extract-tag.outputs.VERSION }}
is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
Expand All @@ -40,61 +39,26 @@ jobs:
if: steps.is_prerelease.outputs.IS_PRERELEASE == 'false'
run: |
echo "DOCKER_TAGS=${{ env.DOCKER_TAGS }},${{ env.DOCKER_IMAGE }}:latest" >> ${GITHUB_ENV}
- name: Create Release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref }}
release_name: Release ${{ github.ref }}
draft: false
prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}

goreleaser:
name: Upload Assets To Github w/ goreleaser
runs-on: ubuntu-latest
build_upload_docker:
name: Build & Upload Docker Images
needs: create_release
permissions:
id-token: write
contents: write
runs-on: ubuntu-latest
environment: quay.io
steps:
- name: Checkout
- name: Checkout Repo
uses: actions/checkout@v3
- name: Set up Go
uses: actions/setup-go@v3
- name: Login to Quay.io
uses: docker/login-action@v2
with:
go-version: 1.19
check-latest: true
- name: Install cosign
uses: sigstore/cosign-installer@v2
registry: quay.io
username: ${{ secrets.DOCKER_USER_NAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Push Docker Image
uses: docker/build-push-action@v3
with:
cosign-release: 'v1.13.1'
- name: Get Release Date
id: release_date
run: |
RELEASE_DATE=$(date +"%y-%m-%d")
echo "RELEASE_DATE=${RELEASE_DATE}" >> ${GITHUB_ENV}
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v3
with:
version: 'latest'
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
RELEASE_DATE: ${{ env.RELEASE_DATE }}
COSIGN_EXPERIMENTAL: 1

build_upload_docker:
name: Build & Upload Docker Images
needs: create_release
permissions:
id-token: write
contents: write
uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
with:
platforms: linux/amd64,linux/386,linux/arm,linux/arm64
tags: ${{ needs.create_release.outputs.docker_tags }}
docker_image: smallstep/step-ca
docker_file: docker/Dockerfile.step-ca
secrets: inherit
push: true
context: .
file: docker/Dockerfile.step-ca
tags: ${{ needs.create_release.outputs.docker_tags }}
platforms: linux/amd64
16 changes: 0 additions & 16 deletions .github/workflows/triage.yml
View file
Open in desktop

This file was deleted.

Loading